How to Write an STR Narrative for goAML: Best Practices

April 18, 2026

Of all the components of a Suspicious Transaction Report, the narrative is the one that determines whether the Financial Reporting Centre acts on your report or files it away without investigation. Schema errors, invalid indicator codes, and missing fields are technical problems — they stop your STR from being submitted. But a weak narrative is a substantive failure. It means your institution has reported a suspicious transaction and then failed to explain why it is suspicious. The FRC receives the report, cannot assess it effectively, and the underlying risk goes uninvestigated.

Kenya's STR rejection and follow-up request rates tell the story. A significant proportion of STRs that pass technical validation still generate FRC follow-up requests asking compliance officers to elaborate on the grounds for suspicion. The reason is almost always the same: the narrative was too brief, too vague, or failed to connect the transaction facts to a recognizable money laundering typology.

This guide gives you a practical framework for writing STR narratives that satisfy Kenya FRC requirements, support FIU investigation, and minimize follow-up requests.

Why the STR Narrative Matters

FRC Guidance on Narrative Requirements

Kenya's legal framework for STR reporting rests on the Proceeds of Crime and Anti-Money Laundering Act 2009 (POCAMLA) and the FRC's published guidance notes, including the Guidance for Reporting Institutions on Suspicious Transaction Reports. The FRC guidance explicitly states that an STR narrative must:

Describe the facts that gave rise to the suspicion
Identify the parties involved and their relationship to the reporting institution
Describe the transactions in sufficient detail for FIU analysis
Reference the specific money laundering typology or risk indicator that applies
State what action, if any, the institution has taken

The FRC does not prescribe a minimum word count in all cases, but the practical minimum for a narrative that achieves these five requirements is approximately 200–300 words for standard typologies, and 500+ words for cases involving terrorist financing (TF) indicators. The Kenya FRC applies stricter narrative length standards to TF-related STRs because of the gravity of the underlying risk and the international reporting obligations triggered.

How Weak Narratives Cause Rejections or FIU Follow-Up Requests

A weak narrative causes one of two outcomes. First, the STR may be technically accepted but placed in a low-priority queue because the FIU analyst cannot quickly assess the significance of the reported activity. In a system receiving hundreds of STRs per month, underspecified reports are deprioritized. Second, the FRC may issue a formal follow-up information request within 10–15 business days, asking your institution to provide additional details. This follow-up consumes analyst time, delays the investigation, and creates an evidence trail of compliance inadequacy if your institution is later audited.

The most common narrative weaknesses that trigger follow-up requests are:

Insufficient transaction description: Stating "customer made unusual transactions" without specifying amounts, dates, channels, or patterns
Missing suspicion reasoning: Describing what happened without explaining why it is suspicious in the context of the customer's known profile and account history
Absent typology reference: Filing an STR without linking the activity to a recognized ML/TF typology
Conclusory language without supporting facts: Writing "the customer appears to be structuring" without describing the specific transactions that evidence structuring behavior

The Difference Between a Narrative That Triggers Investigation vs. One That Gets Filed

An effective STR narrative reads like a brief intelligence report: factual, specific, chronological, and anchored to recognized patterns of illicit financial behavior. An FIU analyst reading your narrative should be able to answer five questions without making additional requests: Who is the subject? What did they do? When and how? Why is this suspicious? What has your institution done about it?

A narrative that answers all five questions concisely — in two to four focused paragraphs — will consistently outperform a narrative that uses four times as many words but answers none of them clearly.

The Five Elements Every STR Narrative Must Include

1. Subject Identification and Background

Open the narrative by identifying the subject and establishing their relationship with your institution. Include:

Full legal name of the subject (individual or entity)
Customer account type (personal current account, business account, etc.)
How long the customer has been with the institution
Customer's stated occupation or business nature (from KYC records)
Account activity profile — what kind of transactions are normal for this customer

This contextual background is essential because it enables the FIU analyst to assess whether the reported activity is genuinely anomalous. A KES 2,000,000 cash deposit is suspicious if the account belongs to a salaried teacher; it may be entirely normal for a registered maize trader. The narrative must establish the baseline before describing the deviation.

Example opening: "The subject is an individual account holder who has maintained a personal current account with the institution since March 2022. The customer's KYC record states their occupation as a secondary school teacher employed by the Teachers Service Commission, with a declared monthly salary of KES 52,000. Account history over the preceding 24 months reflects consistent salary credits and modest personal expenditure consistent with the stated income profile."

2. Transaction Description

The second element is a specific, chronological description of the transactions that triggered the report. Include:

Transaction dates (specific dates, not ranges)
Transaction amounts in exact figures
Transaction types (cash deposit, M-PESA receipt, wire transfer, etc.)
Account numbers and branches involved
Counterparty details if known (who sent or received the funds)
Any observable pattern (frequency, amounts just below threshold, timing)

Avoid vague language such as "multiple large transactions" or "frequent cash deposits." The FRC can pull transaction records, but the narrative should summarize the specific activity without requiring cross-referencing.

Example transaction description: "Between 15 January 2026 and 22 January 2026, the subject conducted seven cash deposits at three separate branches. The individual deposits were as follows: KES 950,000 (Westlands branch, 15 January), KES 870,000 (Upperhill branch, 17 January), KES 940,000 (Ngong Road branch, 19 January), KES 910,000 (Westlands branch, 20 January), KES 960,000 (Upperhill branch, 21 January), KES 880,000 (Upperhill branch, 22 January), KES 945,000 (Ngong Road branch, 22 January). The aggregate deposit total over the eight-day period was KES 6,455,000."

3. Why the Transaction Is Suspicious

This is the element where most STR narratives fail. The compliance analyst has correctly identified a suspicious pattern and correctly described the transactions — but then writes "this activity is unusual and may indicate money laundering" and stops. That single sentence does not explain anything. It restates the label without providing the reasoning.

The reasoning section must explain the specific connection between the observed transaction pattern and the customer's known profile, stated income, and account history. Ask: what is wrong with this picture, and why?

Example reasoning: "The aggregate cash deposits over eight days are irreconcilable with the customer's declared monthly salary of KES 52,000 and their 24-month account history, which has never previously reflected cash deposits exceeding KES 30,000 in any single month. The individual deposit amounts are each below the USD 15,000 equivalent CTR reporting threshold, and the use of three different branches over the period is consistent with deliberate threshold avoidance behaviour. The customer provided no satisfactory explanation when contacted by branch staff."

4. AML Typology or Indicator Reference

Every STR narrative should explicitly name the AML typology and reference the FRC indicator code that applies. The Kenya FRC publishes a list of approved indicator codes in its guidance documentation. Citing the correct indicator code serves two purposes: it demonstrates your institution's analytical capability, and it helps the FRC route the STR to the appropriate investigation team.

For the structuring example above, the applicable indicator is structuring/threshold avoidance. In the narrative, reference it explicitly: "The observed pattern is consistent with the FATF typology of structuring (layering phase), in which illicit funds are broken into sub-threshold amounts to avoid reporting triggers. This aligns with FRC indicator code [applicable code from FRC indicator list]."

For a complete reference to Kenya FRC indicator codes and the typologies they cover, see the related article: STR Indicator Library: AML Typologies for Kenya Banks (2026).

5. Action Taken by the Institution

Close the narrative by stating clearly what your institution has done in response to the suspicious activity. This demonstrates proactive risk management and provides the FRC with information about the current status of the account and relationship.

Actions to document:

Whether the account has been flagged for enhanced monitoring
Whether transactions have been placed on hold or declined
Whether the relationship has been escalated for KYC review
Whether account closure is being considered
Whether the customer has been contacted and, if so, what they said

Example closing: "Following identification of this pattern, the account has been placed under enhanced transaction monitoring with manual approval required for all cash transactions exceeding KES 100,000. A formal KYC review has been initiated and the customer has been requested to provide source of funds documentation. The institution's Head of Compliance has been notified. No account closure has been effected at this stage pending receipt of the customer's response."

Language and Tone — Writing for Regulators

Objective, Factual Language

STR narratives are quasi-legal documents that may be used in FIU investigations, regulatory examinations, and criminal proceedings. They must be written in objective, factual language. Avoid:

Speculative language: "we believe," "it seems," "possibly," "might be," "appears to suggest"
Emotional language: "alarming," "shocking," "bizarre"
Hedge phrases: "in our opinion," "as far as we can tell"

Replace speculation with documented fact. Instead of "the customer seems to be avoiding the reporting threshold," write "each of the seven transactions was below the USD 15,000 equivalent CTR threshold by between USD 200 and USD 1,500."

Chronological Structure

Present transaction facts in chronological order: what happened first, what happened second, what happened third. If multiple accounts or multiple parties are involved, describe each strand separately before drawing connections. Chronological structure makes the narrative easier for FIU analysts to follow and reduces the risk of misinterpretation.

Avoiding Conclusory Statements Without Evidence

Do not state that a customer "is laundering money" or "is a money launderer." This is both legally inappropriate (your institution does not make criminal determinations) and analytically weak. The FRC needs to see the evidence and draw its own conclusions.

Correct approach: "The transaction pattern is consistent with the structuring typology and is not consistent with the customer's declared income and account history."

Incorrect approach: "This customer is clearly structuring transactions to launder money."

Correct Tense and Structure Conventions

Use past tense for all transaction descriptions (the transactions have already occurred). Use present tense for current account status and current institutional actions. Write in the third person — refer to your institution as "the reporting institution" or by name, not as "we" or "us."

STR Narrative Templates by Typology

Structuring / Smurfing Pattern

Subject background: The subject is an individual account holder who has maintained a personal savings account at the institution since June 2021. KYC records indicate the customer is self-employed in small-scale retail trade (sukuma wiki and tomato retail at Gikomba Market, Nairobi). Average monthly account turnover over the preceding 18 months has been approximately KES 85,000, reflecting small cash deposits between KES 10,000 and KES 40,000 per transaction, consistent with daily market income.

Transaction description: Between 3 February 2026 and 10 February 2026, the subject conducted nine cash deposits across two branch locations. The deposits were: KES 985,000 (Eastleigh branch, 3 February), KES 945,000 (Gikomba branch, 4 February), KES 970,000 (Eastleigh branch, 5 February), KES 960,000 (Gikomba branch, 6 February), KES 975,000 (Eastleigh branch, 7 February), KES 990,000 (Gikomba branch, 8 February), KES 955,000 (Eastleigh branch, 9 February), KES 965,000 (Gikomba branch, 9 February), KES 980,000 (Eastleigh branch, 10 February). The aggregate deposit total over the eight-day period was KES 8,725,000.

Suspicion reasoning: The aggregate deposits of KES 8,725,000 over eight days represent approximately 103 times the customer's average monthly account turnover. All nine individual deposit amounts fall between KES 945,000 and KES 990,000 — each deliberately below the USD 15,000 equivalent CTR reporting threshold (approximately KES 1,950,000 at the prevailing buying rate). The use of two branch locations across the period is consistent with deliberate geographic dispersal. When contacted by branch compliance staff on 9 February, the customer stated the funds came from "business proceeds" but was unable to specify customers, transactions, or documentation to substantiate income of this magnitude from a market retail operation. The activity is not consistent with the customer's declared occupation or account history.

Typology reference: The observed pattern is consistent with the FATF structuring/smurfing typology (placement and layering phases), in which illicit funds are broken into amounts below reporting thresholds and deposited in multiple transactions to avoid detection. FRC structuring indicator codes apply.

Action taken: The customer's account has been placed under enhanced monitoring. All incoming cash transactions now require branch manager approval. A formal KYC review has been initiated and the customer has been requested to provide source of funds documentation for all deposits in the period. The institution's Head of Compliance has been notified. The institution is assessing whether to proceed to account closure pending the outcome of the KYC review.

Mobile Money Layering (M-PESA Rapid Receive-Withdraw-Send Pattern)

Subject background: The subject is an individual account holder who has maintained a mobile-linked current account at the institution since January 2023. KYC records indicate the customer is a secondary school student, aged 22, with no declared income source. The account was opened with a KES 500 minimum deposit. Account history over the preceding 12 months reflects intermittent small M-PESA receipts and withdrawals averaging KES 5,000–15,000 per transaction, consistent with a student's personal remittance profile.

Transaction description: Between 11 March 2026 and 13 March 2026, the subject's linked M-PESA account received 14 separate mobile money transfers totalling KES 1,875,000. The individual receipts ranged from KES 95,000 to KES 145,000, each from a different sender's M-PESA number and each well below the USD 15,000 equivalent CTR threshold. Within 20 minutes of each receipt, the subject withdrew the received amount via M-PESA cash-out, typically at different M-PESA agents. Of the total receipts of KES 1,875,000, KES 1,820,000 was withdrawn within 45 minutes of receipt. The net account balance change over the three-day period was KES 55,000. The fourteen sending M-PESA numbers are unregistered in the customer's contact records and do not correspond to any previously known counterparty in the account history.

Suspicion reasoning: The transaction pattern — receipt of multiple same-day transfers from numerous unrelated senders followed by near-immediate cash-out — is consistent with mobile money layering, in which illicit funds are transferred through multiple mobile wallets to obscure the origin before cash extraction. The customer's student profile and prior transaction history are irreconcilable with incoming transfers of this volume. The rapid cash-out pattern (within 20 minutes of receipt) and the use of multiple different M-PESA agents for withdrawal are consistent with deliberate obfuscation of fund flow. The customer's account appears to be functioning as a transit account or "mule account" in a layering chain.

Typology reference: The activity is consistent with the mobile money layering typology identified in the FATF guidance on virtual assets and mobile payment systems, and with Kenya FRC mobile money typology indicators applicable to M-PESA channel activity.

Action taken: The institution has suspended M-PESA linkage for this account pending investigation. Enhanced monitoring has been applied. The customer has been contacted and has failed to provide a credible explanation for the transaction pattern. The case has been escalated to the institution's AML Investigation Team for enhanced due diligence review.

Real Estate Purchase with Cash

Subject background: The subject is the registered owner of a small private limited company incorporated in Nairobi in 2024, operating under the stated business type of "general merchandise trading." The company has maintained a business current account at the institution since incorporation. Account history reflects modest turnover averaging KES 180,000–240,000 per month, primarily in small supplier payments and cash withdrawals described as "stock purchases." No property assets are disclosed in the company's KYC records or annual financial filings.

Transaction description: On 27 February 2026, the company account received a single cash deposit of KES 12,500,000. On 28 February 2026, the institution received a written instruction from the account holder to issue a banker's cheque for KES 12,400,000 payable to a named law firm. Supporting documentation provided by the account holder described the cheque as settlement for "property conveyancing." The transaction depleted the account to near-zero. A search of public property records conducted by the institution's compliance team identified a residential property in Kilimani, Nairobi, transferred to a nominee director of the company on 1 March 2026, registered value KES 12,200,000. No mortgage or property finance is recorded against the transaction.

Suspicion reasoning: The cash deposit of KES 12,500,000 represents over 52 times the company's average monthly account turnover and is not consistent with the company's stated business of general merchandise trading. The immediate conversion of the deposit to a banker's cheque for property conveyancing, combined with the registration of the property in the name of a nominee director rather than the company or its disclosed beneficial owner, raises serious concerns about the use of a corporate structure and a nominee arrangement to obscure the true beneficiary of a cash-funded real estate purchase. The company has no documented operational history that would explain an asset purchase of this scale.

Typology reference: The activity is consistent with FATF typologies relating to real estate as a vehicle for money laundering (integration phase), involving cash-intensive property purchases structured through shell or nominee arrangements. FRC real estate and beneficial ownership indicator codes apply.

Action taken: The banker's cheque instruction has been placed on hold pending compliance review. The account has been escalated to the Head of Compliance. The institution is seeking legal advice on its obligations under POCAMLA regarding the pending transaction. Enhanced KYC has been requested from the account holder including source of funds documentation, audited financial statements, and full beneficial ownership disclosure.

Terrorist Financing Red Flag

Subject background: The subject is an individual customer who has maintained a personal savings account at the institution since April 2024. KYC records identify the customer as a Kenyan national, aged 34, with a stated occupation of "freelance logistics consultant." The account has historically received small irregular credits in the range of KES 20,000–80,000, withdrawn shortly after receipt. No business registration is linked to the account. In January 2026, the institution's compliance team noted that the customer's name appeared on an international sanctions screening alert referencing a UN Security Council listed entity with connections to a designated terrorist organization operating in the Horn of Africa region. The sanctions screening alert was not a confirmed match but was flagged as a potential match requiring investigation.

Transaction description: Between 1 March 2026 and 20 March 2026, the subject's account received eight wire transfers totaling KES 3,200,000 from three overseas remittance corridors: two transfers totaling KES 820,000 originating from a UAE-based exchange house, three transfers totaling KES 1,380,000 originating from a Somalia-based mobile money aggregator, and three transfers totaling KES 1,000,000 originating from a UK-based Hawala network identified in prior FRC typology guidance. Each incoming transfer was followed within 24–48 hours by a cash withdrawal of 85–95% of the received amount. No outgoing wire transfers have been recorded. The account has not been used for any identifiable retail or business expenditure.

Suspicion reasoning: The combination of unresolved sanctions screening alerts, the receipt of funds from high-risk jurisdictions and from counterparties in remittance corridors commonly associated with informal value transfer systems, and the rapid cash-out pattern without identifiable commercial purpose collectively give rise to a reasonable suspicion of terrorist financing. The account's function as a pure inbound-to-cash-out transit account — with no retail expenditure, no identified business purpose, and no linkage to the customer's stated occupation — is not consistent with legitimate financial activity. The origin of funds from a Somalia-based mobile money aggregator, in the context of the unresolved sanctions screening alert, elevates the risk profile of this account to the highest level maintained by the institution. The cash withdrawal pattern, in which 85–95% of incoming funds are extracted within 48 hours, is consistent with methodologies used to move funds to ultimate beneficiaries while minimizing institutional record exposure. The institution notes that this report is being filed notwithstanding the absence of a confirmed sanctions match, on the basis of reasonable grounds to suspect terrorist financing activity under Section 19 of POCAMLA.

Typology reference: The activity is consistent with FATF TF typologies involving the use of money service businesses, informal value transfer systems (Hawala), and mobile money platforms to move funds to or from designated entities and high-risk jurisdictions. Kenya FRC TF indicator codes apply. As this report involves TF indicators, the institution draws the FRC's attention to the UN Security Council sanctions screening alert and provides the screening case reference number.

Action taken: The account has been frozen pending outcome of this STR and any resulting FIU directive. All pending and future transactions have been suspended. The institution's Head of Compliance and General Counsel have been notified. The institution is prepared to provide full KYC documentation, transaction records, and screening documentation to the FRC upon request. The institution requests priority processing of this report given the TF indicator designation.

Common Mistakes That Lead to FRC Follow-Up

Compliance teams that consistently receive FRC follow-up requests on their STRs are typically making one or more of the following errors:

Filing with no narrative at all: Some submissions are technically valid XML but contain an empty <reason> element or a single-sentence placeholder. The FRC will always follow up on these.
Copying the transaction description into the narrative field: Pasting raw transaction data without analysis or reasoning does not constitute a narrative.
Using vague time references: Writing "in recent months" instead of specific dates makes the report nearly impossible to act on.
Omitting the customer profile baseline: Without establishing what normal looks like for this customer, the FRC cannot assess why the reported activity is abnormal.
Failing to explain the connection to a typology: Describing a suspicious pattern but not naming the ML/TF typology it resembles leaves the FRC's analyst to make a connection that should be made by the reporting institution.
Over-relying on indicator codes as a substitute for narrative: Selecting indicators without supporting them in the narrative body creates a mismatch that the FRC will flag.
Not documenting the institution's response: The FRC wants to know what your institution has done. "No action taken" is sometimes legitimate but must be stated explicitly and briefly justified.
Including legal conclusions: Do not write "the customer has committed money laundering" or "this is a confirmed case of structuring." Write facts, not verdicts.

The Narrative Workflow — Draft, Review, Approve

Analyst Drafts → Compliance Officer Reviews → Head of Compliance Approves

A well-governed STR narrative workflow has three stages. The investigating analyst, who has direct knowledge of the account and the transaction pattern, drafts the initial narrative. A senior compliance officer reviews the draft for completeness, analytical quality, and regulatory adequacy — applying the five-element checklist described above. The Head of Compliance or designated MLRO gives final approval before submission.

This three-stage workflow adds oversight without unnecessary bureaucracy. It ensures that at least two experienced compliance professionals have reviewed every narrative before it is filed with the FRC, substantially reducing the risk of weak or inadequate narratives reaching the FIU.

Using a Platform to Enforce Narrative Completeness Checks

An automated AML reporting platform can enforce narrative completeness as a pre-submission condition. The Creodata goAML platform, for example, requires:

Minimum word count for the narrative field based on the selected indicator codes (higher for TF indicators)
All five narrative elements to be present (subject background, transaction description, suspicion reasoning, typology reference, action taken) as tracked fields in the case record
Compliance officer approval workflow before the STR is submitted to the FRC
Completeness scoring visible to the analyst as they write, prompting gaps to be filled before submission

This systematic approach eliminates the most common causes of FRC follow-up requests before the STR is ever submitted.

Word Count Minimums and Completeness Scoring

As a working guideline:

Standard ML typologies (structuring, layering, integration): Minimum 250 words
Mobile money typologies: Minimum 300 words (additional context required on channel patterns)
Real estate typologies: Minimum 350 words (beneficial ownership narrative required)
TF indicator cases: Minimum 500 words (Kenya FRC practice standard)

These are not FRC-mandated minimums but are consistent with the level of narrative detail that reliably avoids FRC follow-up requests in practice.

File Better STRs, Starting Today

The difference between an STR that drives FIU investigation and one that generates a follow-up request — or gets set aside — comes down almost entirely to the quality of the narrative. The framework in this guide gives your compliance team the structure to write narratives that are factual, analytical, typology-referenced, and action-documented.

Creodata's goAML platform enforces this framework systematically — with narrative completeness scoring, indicator alignment checks, and a full approval workflow — so every STR your institution files is investigation-ready.

See how the platform works for your team.

Request a Demo → https://www.creodata.com/demo

Related articles: