Creodata Solutions Logo

Kenya FRC goAML Reporting: Complete Guide 2026

April 18, 2026

Kenya's financial system moves fast. From mobile money transactions processed in seconds to cross-border remittances flowing through dozens of licensed providers, the velocity and volume of transactions that compliance teams must monitor has grown dramatically over the past decade. At the centre of Kenya's anti-money laundering regime sits the Financial Reporting Centre (FRC) — and at the centre of how the FRC receives intelligence from reporting institutions sits the goAML portal.

For compliance officers at banks, SACCOs, microfinance institutions, forex bureaus, and payment service providers, the ability to file accurate, timely Cash Transaction Reports (CTRs) and Suspicious Transaction Reports (STRs) through the goAML system is not optional — it is a legal obligation under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA). The consequences of non-compliance range from regulatory censure to criminal prosecution of responsible officers.

This guide explains everything your institution needs to know about Kenya FRC goAML reporting in 2026: the legal framework, who must report, what each report must contain, Kenya-specific localisation rules, and how automation is transforming compliance operations across the sector.

Understanding Kenya's Financial Reporting Centre (FRC)

Legal Mandate Under POCAMLA 2009 (as Amended 2023)

The Financial Reporting Centre was established under the Proceeds of Crime and Anti-Money Laundering Act, 2009 (POCAMLA). The Act creates Kenya's primary AML/CFT legal framework, obligating all "reporting institutions" to detect, report, and keep records of financial transactions that may be connected to money laundering, terrorism financing, or proceeds of crime.

POCAMLA has been amended several times since its enactment, most significantly by the Proceeds of Crime and Anti-Money Laundering (Amendment) Act 2023. The 2023 amendments strengthened the FRC's supervisory and enforcement powers, introduced updated definitions of reporting entities, and aligned Kenya's framework more closely with the Financial Action Task Force (FATF) Recommendations — particularly in the areas of beneficial ownership transparency, risk-based supervision, and the quality standards expected of STR and CTR submissions.

Under Section 24 of POCAMLA, the FRC is mandated to receive, analyse, and disseminate financial intelligence to law enforcement agencies and the Director of Public Prosecutions. The Act further empowers the FRC to impose administrative sanctions on reporting institutions that fail to meet their obligations.

The Centre operates under the supervision of Kenya's National Treasury and Economic Planning ministry and works in close coordination with the Central Bank of Kenya (CBK), the Capital Markets Authority (CMA), the Insurance Regulatory Authority (IRA), and the Directorate of Criminal Investigations (DCI).

What the FRC Does With STR and CTR Data

When your institution submits a CTR or STR to the FRC through the goAML portal, that data does not simply sit in a database. The FRC's intelligence analysts use it in several critical ways.

CTR data is aggregated at the FRC to identify structuring patterns — customers or networks that systematically transact just below the USD 15,000 equivalent threshold to avoid generating reports. Because CTR data flows in from every reporting institution across Kenya, the FRC can see patterns that no single bank can detect in isolation. A customer splitting cash across five branches of two different banks on the same day may not trigger a CTR at any individual branch (and under FRC Circular No. 4 of 2023 should not — see the CTR section below), but the FRC sees the full picture and expects institutions to file STRs where splitting looks suspicious.

STRs trigger investigative workflows. Once received, they are analysed for connections to known persons of interest, active investigations, or typology patterns shared by FIUs across the EGMONT Group. When sufficient intelligence accumulates, the FRC disseminates a financial intelligence report (FIR) to law enforcement. STR data is also used to generate Kenya's national money laundering risk assessment, which in turn shapes the FRC's supervisory priorities.

Both report types feed into Kenya's goAML analytics environment, where the FRC runs link analysis, network mapping, and transaction pattern queries across the full corpus of submitted data.

FRC's Use of the UNODC goAML Portal

The FRC adopted the UNODC goAML system — the same platform used by over 60 financial intelligence units worldwide — as its primary reporting portal. The goAML system accepts reports in a specific XML format governed by the goAML XSD v5.0.2 schema. Reports submitted in any other format, or XML that does not validate against the schema, are rejected.

This is a critical point for compliance teams. The goAML portal is not a web form where you type information manually. It is an XML-based data exchange system. Your institution must produce machine-readable XML files in the exact format the FRC's goAML instance expects, with Kenya-specific field rules applied on top of the base schema.

Every STR and CTR must be submitted as a well-formed, schema-valid XML document. The FRC's system performs automated validation on receipt and will reject malformed or incomplete submissions immediately — triggering a rejection notice that starts a compliance breach clock.

Who Must Report to the FRC?

Reporting Institutions Under POCAMLA

Section 2 of POCAMLA defines "reporting institutions" broadly. The following entity types are required to register with the FRC and file STRs and CTRs:

  • Commercial banks and mortgage finance companies regulated by the Central Bank of Kenya
  • Microfinance banks and deposit-taking microfinance institutions licensed under the Microfinance Act
  • Savings and Credit Co-operative Societies (SACCOs) regulated by SASRA (Sacco Societies Regulatory Authority) with a front-office service activity
  • Foreign exchange bureaus and money remittance providers licensed by the CBK
  • Payment service providers (PSPs) including mobile money operators (Safaricom M-PESA, Airtel Money Kenya, T-Kash), licensed under the National Payment System Act
  • Securities firms, investment banks, and collective investment schemes regulated by the CMA
  • Insurance companies and brokers regulated by the IRA
  • Real estate agents when conducting transactions on behalf of clients
  • Accountants and auditors in public practice when conducting certain designated transactions
  • Advocates when handling client funds or real property transactions
  • Casinos and betting companies licensed under the Betting, Lotteries and Gaming Act
  • Trust and company service providers

This list is not exhaustive. The FRC has issued guidance notes expanding the scope of covered entities, and the 2023 amendments further broadened coverage to capture virtual asset service providers (VASPs) and certain dealers in high-value goods.

Exceptions and De Minimis Thresholds

While the list of reporting institutions is extensive, POCAMLA does not require every single transaction to be reported. CTR obligations are triggered by the USD 15,000 (or equivalent in any other currency) cash threshold (discussed in detail below). STR obligations are triggered by suspicion, not by amount — there is no de minimis for suspicious activity.

Some categories of transactions are excluded from the cash reporting threshold. Interbank transactions, transactions between reporting institutions for their own account, and certain government payments are treated differently under FRC guidance. However, compliance officers should obtain specific legal advice before treating any transaction category as exempt, as the FRC has taken enforcement action against institutions that applied exemptions too broadly.

Agent and Branch Considerations

Agent banking has expanded significantly in Kenya, with commercial banks operating tens of thousands of licensed agents across the country. The question of who bears the reporting obligation — the bank or the agent — is important.

Under FRC guidance, the principal institution (the bank) retains the reporting obligation for transactions conducted through its agents. Agents are not themselves reporting institutions unless they independently meet the definition. This means banks must have systems capable of applying the USD 15,000-equivalent per-transaction CTR threshold to agent-channel transactions alongside branch and digital-channel transactions, and surfacing structuring patterns across channels for STR review.

Similarly, a bank with multiple branches must have unified visibility of cash transactions across branches and channels so that (a) any single cash transaction at or above the threshold — wherever it is conducted — triggers a CTR, and (b) patterns of sub-threshold activity by the same customer across branches can be evaluated for STR purposes. Fragmented, branch-silo visibility is the most common cause of both missed CTRs and missed structuring STRs in Kenya.

Cash Transaction Reports (CTRs) — What You Need to Know

USD 15,000 Threshold — What Counts

Regulation 40(1) of the Proceeds of Crime and Anti-Money Laundering Regulations 2023 (POCAMLR) requires a Cash Transaction Report to be filed on every cash transaction equivalent to or exceeding USD 15,000 or its equivalent in any other currency, whether or not the transaction appears to be suspicious. This threshold was raised from USD 10,000 by the Anti-Money Laundering and Combating of Terrorism Financing Laws (Amendment) Act 2023 (effective 15 September 2023).

"Cash" in this context means physical currency notes and coins. Electronic transfers, cheques, and card transactions are not cash transactions for CTR purposes, though they may separately trigger STR obligations if suspicious. Mobile money agent cash-in and cash-out transactions are treated as cash transactions for threshold purposes.

The threshold applies to both deposits and withdrawals. A single cash deposit or withdrawal equivalent to or above USD 15,000 — in any currency, converted at the institution's prevailing buying rate on the transaction date — is a CTR-triggering event.

Foreign currency cash transactions are assessed in USD-equivalent terms, with the original currency amount, applied exchange rate, and USD-equivalent all recorded in the CTR XML.

Same-Day Sub-Threshold Transactions: No Aggregation for CTR

Financial Reporting Centre Circular No. 4 of 2023 (19 October 2023) is explicit on this point. Paragraph 4.3 of the circular provides that where multiple cash transactions are carried out in a day in a single account and each transaction individually falls below the reporting threshold, the reporting institution shall not aggregate those transactions for CTR purposes — the law requires reporting on cash transactions equivalent to or exceeding the threshold, not on aggregates of sub-threshold activity.

Instead, institutions must seek to understand the reasons for sub-threshold activity. Where the pattern appears to be splitting of transactions or otherwise unusual or suspicious, the institution must file a Suspicious Transaction or Activity Report (STR/SAR) — not a CTR (Circular §4.4). This keeps the two pathways distinct: CTR for threshold-reaching transactions (objective, per-transaction); STR for suspicious patterns (judgment-led).

Many compliance programmes historically operated on the assumption that same-day cash activity must be summed into a single CTR where the total reaches the threshold. Under the FRC's current position, that practice produces CTRs that do not match the regulation's requirements and can crowd out the STR pathway that the Circular expects.

Filing Deadline: Friday of the Week

Regulation 40(3)(c) of POCAMLR requires CTRs to be submitted by the Friday of the week in which the qualifying transaction was conducted, or such other time as the FRC may specify. The FRC Circular No. 4 of 2023 confirms this as the operative deadline.

In practical terms: a cash transaction on Monday must be reported by the same Friday; a transaction on Thursday leaves effectively one business day for detection, preparation, approval, and submission. The compressed window makes continuous monitoring — as opposed to end-of-week batch review — a practical necessity.

Submissions are made through the goAML application at https://goaml.frc.go.ke. The FRC's goAML system timestamps submissions on receipt, and late submissions are identifiable during FRC inspections. A pattern of late CTR filings — even if the reports themselves are accurate — is treated as a compliance failure that can trigger supervisory action.

What a CTR Must Contain: Mandatory Fields

A CTR submitted to the FRC through goAML must include the following mandatory elements in the XML:

Transaction-level fields:

  • Transaction amount (in the currency transacted)
  • Transaction currency code (ISO 4217)
  • Transaction date and time
  • Transaction type (deposit, withdrawal, currency exchange)
  • Transaction reference number
  • Branch or channel where transaction was conducted

Customer identity fields:

  • Full legal name
  • National ID number (mandatory for Kenyan nationals — Huduma Namba, old-format National ID, or Passport for non-nationals)
  • Date of birth
  • Physical address
  • Phone number

Account fields:

  • Account number
  • Account type
  • Institution SWIFT/BIC code

Reporting entity fields:

  • Reporting institution name and FRC registration number
  • Reporting officer name and contact
  • Report preparation date

Missing any mandatory field will cause the XML to fail schema validation at the FRC goAML portal, resulting in an immediate rejection.

Suspicious Transaction Reports (STRs) — The Compliance Officer's Challenge

What Makes a Transaction "Suspicious"

Unlike CTRs, which are threshold-based, STRs are judgment-based. POCAMLA Section 12 obliges reporting institutions to file an STR whenever a staff member has "reasonable grounds to suspect" that a transaction is connected to money laundering, terrorism financing, or proceeds of crime.

"Reasonable grounds to suspect" is a lower standard than certainty. The FRC does not expect compliance officers to have proof of wrongdoing before filing — it expects them to act on legitimate red flags. Indicators of suspicion include, but are not limited to:

  • Transactions inconsistent with a customer's known business profile or financial history
  • Large cash transactions from customers who do not typically use cash
  • Customer reluctance to provide identification or information about the source of funds
  • Unusual transaction patterns suggesting structuring (multiple transactions just below reporting thresholds)
  • Transactions involving jurisdictions identified as high-risk by FATF, the FRC, or international sanctions lists
  • Transactions involving politically exposed persons (PEPs) without adequate explanation
  • Complex transaction structures with no apparent legitimate purpose
  • Customer providing false, inconsistent, or contradictory identification information

The FRC has issued typology guidance covering common money laundering methodologies seen in Kenya, including real estate layering, trade-based money laundering, mobile money fraud, and hawala-style remittances. Compliance teams should review this guidance regularly and ensure their transaction monitoring rules are aligned to known typologies.

Filing Within 3 Days of Forming Suspicion

Once a compliance officer forms a suspicion that a transaction may be connected to money laundering or terrorism financing, the STR must be filed with the FRC within 3 days. This deadline is strict and begins when suspicion is "formed" — not when an investigation is completed.

This creates a practical challenge: compliance teams must be capable of rapidly gathering sufficient information to produce a complete, high-quality STR within 72 hours of an alert being escalated. Institutions that rely on manual processes — spreadsheets, email chains, and manual XML construction — regularly fail this deadline, particularly for complex multi-transaction cases.

The 3-day deadline applies regardless of the amount involved. A KES 5,000 mobile money transaction can generate an STR obligation if there are reasonable grounds for suspicion.

Mandatory STR Content: Narrative, Indicators, Subject ID

A complete STR submitted to the FRC through goAML must include:

Subject identification:

  • Full legal name, National ID/Passport number
  • Date of birth and address
  • Relationship to the reporting institution (customer, counterparty, third party)

Transaction details:

  • All transactions connected to the suspicious activity, with dates, amounts, types, and references
  • Account numbers and branch details for all accounts involved

Indicators: At least one goAML-coded suspicion indicator from the FRC's approved indicator taxonomy. Indicators are standardised codes that categorise the type of suspicious behaviour (e.g., structuring indicators, PEP indicators, TF-related indicators). The FRC uses these codes in aggregate analysis, so accurate selection matters.

Narrative: A clear, factual, and specific narrative explaining the basis for suspicion. The narrative must describe the specific transactions, explain why they are inconsistent with the customer's profile, reference any customer explanations received, and state what the compliance officer believes may be occurring. Vague narratives ("transaction seems unusual") are a primary cause of FRC feedback requests and poor mutual evaluation ratings.

A high-quality narrative typically runs 200–500 words and reads as a factual account, not a legal conclusion.

Tipping-Off Prohibition

POCAMLA Section 17 prohibits any person from "tipping off" — that is, disclosing to the subject of an STR (or to any connected person) that a report has been or may be filed, or that an investigation is underway.

The tipping-off prohibition applies to all staff, not just compliance officers. A relationship manager who mentions to a customer that "I had to report your transaction to the FRC" has committed a criminal offence under POCAMLA, carrying a penalty of up to KES 5,000,000 or 3 years imprisonment, or both.

Institutions must train all customer-facing staff on the tipping-off prohibition and ensure that STR workflows are handled on a strict need-to-know basis.

Kenya-Specific Localisation Rules in goAML

National ID Mandatory for Kenyan Subjects

Kenya's goAML implementation requires that all Kenyan nationals named in an STR or CTR — whether as account holders, transacting parties, or subjects of suspicion — must be identified by their Kenya National Identity Card number (the 8-digit national ID).

The FRC also accepts the Huduma Namba (national integrated identity management system number) where the customer has been registered. For non-Kenyan nationals transacting in Kenya, a Passport number is mandatory, along with nationality and country of issue.

This requirement is stricter than the base goAML schema, which allows more flexibility in identity document types. XML submissions that omit the Kenyan National ID for Kenyan subjects will fail FRC-level validation even if they pass base schema validation.

For entities (companies, partnerships, trusts), the PIN (Personal Identification Number issued by KRA) is the mandatory identifier, along with the Certificate of Incorporation number.

Mobile Money Channel Classification

Kenya's mobile money ecosystem is among the most developed in the world, and the FRC has developed specific channel classification codes for mobile money transactions. When reporting transactions conducted through mobile money platforms, the XML must correctly classify the channel:

  • M-PESA transactions: Must use the Safaricom M-PESA channel code and, where available, the M-PESA agent code for cash-in/cash-out transactions
  • Airtel Money transactions: Must use the Airtel Money Kenya channel code
  • T-Kash transactions: Must use the Telkom Kenya T-Kash channel code

These classifications are mandatory in the Kenya FRC goAML implementation and are used by the FRC's analytics to map transaction flows across the mobile money ecosystem. Incorrect channel classification is treated as a data quality deficiency.

TF Indicators and Enhanced Narrative Requirements

Transactions flagged with terrorism financing (TF) indicators in the goAML system trigger enhanced narrative requirements under Kenya's POTA and the FRC's counter-terrorism financing (CTF) guidance. When a compliance officer selects a TF-category indicator, the system requires an expanded narrative that:

  • Explains in detail the basis for the TF indicator selection
  • Describes any connection to known high-risk jurisdictions or sanctioned individuals/entities
  • Documents any enhanced due diligence (EDD) steps taken before or after the transaction
  • States whether a freeze or restriction has been placed on the relevant account(s)

TF-flagged STRs are treated as priority submissions by the FRC and are escalated to dedicated counter-terrorism financing analysts on receipt. The quality of the narrative in these reports directly affects the FRC's ability to act, and institutions that file TF-flagged STRs with inadequate narratives can expect follow-up information requests from the FRC.

How Automation Transforms FRC Reporting

The Manual Reporting Bottleneck

Many Kenyan financial institutions still rely heavily on manual processes for CTR and STR production. A compliance officer receives an alert, manually reviews transaction records, manually writes the narrative, manually populates an XML template, and manually submits through the goAML portal. This process is time-consuming, error-prone, and difficult to audit.

The consequences are measurable. Industry data and FRC inspection findings consistently show a 40–60% rejection rate for manually produced goAML XML submissions from smaller institutions. Common rejection reasons include: missing mandatory fields, incorrect ID document formats, invalid XML encoding, schema validation failures, and mismatched transaction references. Each rejection requires the institution to correct and resubmit — and the rejection-to-resubmission cycle consumes compliance team time that could be spent on higher-value work.

Manual processes also create audit trail gaps. When an assessor asks to see evidence that an STR was approved by the Chief Compliance Officer before submission, a manual operation may struggle to produce a documented audit trail with timestamps, approver identities, and approval decisions. This is precisely the kind of gap that ESAAMLG mutual evaluation assessors identify as a systemic deficiency.

What goAML XML Automation Delivers

Automated goAML reporting platforms transform the compliance workflow in several fundamental ways.

Threshold detection: Rather than relying on compliance officers to manually monitor for cash transactions at or above the USD 15,000 equivalent, an automated platform continuously monitors transaction streams, applies the per-transaction threshold test with real-time currency conversion, and generates CTR cases automatically. In parallel, the same platform surfaces sub-threshold structuring patterns for STR review — keeping the CTR and STR pathways properly separated as the FRC expects.

XML generation: The platform maps your institution's internal transaction and customer data directly to the goAML XSD v5.0.2 schema, applying Kenya-specific field rules (National ID format, mobile money channel codes, TF narrative requirements) automatically. The compliance officer reviews and approves a case; the platform generates the submission-ready XML.

Pre-submission validation: Before the XML ever reaches the FRC portal, the platform validates it against the full schema and Kenya-specific rule set. Errors are surfaced to the compliance officer with specific remediation guidance — not as an FRC rejection after the deadline has run.

Audit trail: Every action — case creation, escalation, narrative edit, approval, and submission — is logged in an immutable audit log with timestamps and user identities. This provides the documented workflow evidence that regulators and assessors expect.

Institutions using automated goAML reporting platforms report savings of 40–87 hours per month in compliance team time, with rejection rates dropping to under 5% and filing-within-deadline compliance rates exceeding 98%.

Pre-Validation Catching Errors Before the FRC Sees Them

The single most impactful feature of an automated goAML platform, from a compliance risk perspective, is pre-submission validation. By running the same validation logic that the FRC's goAML system will apply — before submission — the platform catches errors that would otherwise result in rejection.

Common errors caught by pre-validation include: National ID numbers formatted incorrectly (wrong digit count, incorrect check digit), missing mandatory narrative content, transaction date-time format mismatches, invalid currency codes, and XML encoding issues caused by special characters in customer names.

Pre-validation also enforces workflow rules. For example, a platform can be configured to prevent STR submission unless the narrative meets a minimum word count, or unless at least one goAML indicator code has been selected. These rules ensure that the reports reaching the FRC are complete and high-quality — reducing the risk of FRC feedback requests and protecting your institution's reputation as a reliable data contributor.

Frequently Asked Questions

Q: Does every branch need to separately register with the FRC, or does the institution register once?

The reporting institution as a whole registers with the FRC and receives a single FRC registration number. Individual branches do not register separately, but CTR and STR submissions must identify the specific branch where the transaction was conducted. Branch-level data quality is therefore critical — each branch must maintain accurate records of customer IDs, transaction references, and cash amounts that feed into institution-wide submissions.

Q: What happens if we file a CTR and later discover the customer was actually structuring (smurfing)?

A CTR filing does not prevent you from also filing an STR. In fact, if after filing a CTR you discover evidence that the customer structured the transactions to avoid threshold reporting, you should file an STR as well, referencing the previously submitted CTR. The FRC's analysts will link the two reports. Structuring is itself a standalone money laundering offence under POCAMLA, separate from whatever the underlying funds may represent.

Q: How long does the FRC take to respond to an STR submission?

The FRC does not typically acknowledge individual STR submissions or provide feedback on specific reports, due to the confidentiality requirements of the AML investigation process. You may receive technical validation feedback (acceptance or rejection) from the goAML portal within minutes to hours of submission. Investigative outcomes — whether the FRC has acted on your STR — are generally not communicated back to reporting institutions except in specific circumstances.

Q: Can we amend or withdraw an STR after submission?

The goAML portal supports submission of supplementary reports (SARs) that provide additional information to an existing STR. However, STRs that have been accepted cannot be simply "withdrawn." If you believe a report was filed in error, you should contact the FRC directly. In practice, the better approach is to ensure reports are complete and accurate before submission — which is the strongest argument for an automated platform with robust pre-submission validation.

Q: What training are staff required to have under POCAMLA?

POCAMLA and related FRC guidelines require reporting institutions to provide AML/CFT training to all relevant staff — not just compliance officers. This includes customer-facing staff who may encounter suspicious activity, back-office staff who process transactions, and management who set risk appetite. The FRC expects institutions to maintain records of staff training, including training dates, content covered, and assessment results. The CBK's Prudential Guideline on AML/CFT specifies that training must be updated at least annually and whenever significant regulatory changes occur.

Automate Your FRC Reporting with Creodata

Manual goAML reporting is a risk your institution cannot afford to carry in 2026. With FRC enforcement actions on the rise, ESAAMLG mutual evaluation pressure intensifying, and the goAML XML schema becoming more exacting with each update, compliance teams need a purpose-built platform that handles the complexity automatically.

Creodata's goAML AML Reporting Platform is built specifically for East African financial institutions. It handles the full reporting lifecycle — from per-transaction USD 15,000-equivalent threshold detection, through structuring-pattern surveillance and multi-level STR approval, to schema-valid XML generation and submission to the FRC portal. Kenya-specific rules are built in: National ID validation, mobile money channel classification, TF enhanced narrative enforcement, and real-time currency conversion against the threshold.

Our clients report a 40–87 hour reduction in monthly compliance team workload, rejection rates below 5%, and a complete, immutable audit trail for every submission.

See the platform in action — request your demo at creodata.com/demo.