Creodata Solutions Logo

POCAMLA and POTA Compliance for Kenya Banks: 2026 Guide

April 18, 2026

Kenya's AML/CFT compliance environment in 2026 bears little resemblance to the relatively permissive landscape of five years ago. The Financial Reporting Centre (FRC) has exercised its expanded administrative sanction powers under the 2023 POCAMLA amendments to impose penalties on reporting institutions with chronic reporting failures. The Central Bank of Kenya (CBK) has integrated AML/CFT compliance into its CAMELS supervisory framework for banks, meaning that compliance deficiencies now directly affect institutional risk ratings. And ESAAMLG's scrutiny of Kenya's mutual evaluation follow-up progress has created international accountability for what was previously regarded as a domestic matter.

For compliance officers, MLROs, and board risk committees at Kenya's banks, microfinance banks, SACCOs, and payment service providers, this environment demands that POCAMLA and POTA compliance be treated as a strategic priority — not a back-office administrative function.

This guide provides a comprehensive, practical reference for understanding and meeting your institution's obligations under Kenya's principal AML/CFT legislation. It covers the legal architecture, who qualifies as a reporting institution, the specific duties around STRs and CTRs, penalties, customer due diligence requirements, record-keeping obligations, and how to build a genuinely compliant workflow that will withstand regulatory examination.

For technical guidance on filing CTRs and STRs through the FRC's goAML portal, including XML schema requirements and Kenya-specific localisation rules, see our companion article: Kenya FRC goAML Reporting: Complete Guide 2026. For threshold-specific detail and the FRC's position on same-day sub-threshold transactions, see our Kenya CTR Threshold: The USD 15,000 Rule Explained.

Kenya's AML/CFT Legal Architecture

Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) 2009 — Scope and Amendments

The Proceeds of Crime and Anti-Money Laundering Act, 2009 (POCAMLA) is Kenya's foundational AML statute. Enacted after Kenya's initial FATF-style review identified gaps in the existing legal framework, POCAMLA created a comprehensive regime covering: the criminalization of money laundering; the establishment of the Financial Reporting Centre (FRC); the obligations of reporting institutions to file STRs and CTRs; customer due diligence requirements; record-keeping duties; and the FRC's powers of supervision, investigation, and enforcement.

POCAMLA has been amended several times since 2009. The most consequential amendments were introduced through the Statute Law (Miscellaneous Amendments) Acts and, most recently, the Proceeds of Crime and Anti-Money Laundering (Amendment) Act 2023. The 2023 amendments are the most significant update to the Act since its enactment and introduce several provisions with direct operational impact on reporting institutions:

  • Expanded FRC administrative sanction powers: The FRC can now impose civil penalties without requiring criminal prosecution, making enforcement faster and more certain
  • Enhanced beneficial ownership requirements: Reporting institutions are now obligated to verify and record the beneficial owners of all legal entity customers, with enhanced requirements for entities in high-risk sectors
  • Updated reporting institution categories: The 2023 amendments extended POCAMLA coverage to virtual asset service providers (VASPs), certain dealers in high-value goods (luxury vehicles, art, precious stones above specified thresholds), and expanded coverage of trust and company service providers
  • Strengthened tipping-off provisions: The 2023 amendments clarified the scope of the tipping-off prohibition and increased the maximum penalties for violations
  • FRC supervisory cooperation: Enhanced provisions for cooperation between the FRC and other domestic supervisory bodies (CBK, SASRA, CMA, IRA) and foreign financial intelligence units

Compliance teams must ensure that their policies and procedures reflect the 2023 amendments. Institutions operating under policies last updated before 2023 may be materially out of compliance.

Prevention of Terrorism Act (POTA) 2012 — How It Links to AML Reporting

The Prevention of Terrorism Act, 2012 (POTA) is Kenya's primary counter-terrorism financing (CTF) legislation. While POCAMLA addresses money laundering broadly, POTA specifically creates offences related to terrorism and terrorism financing — including the provision of funds or financial services that the person knows or reasonably suspects will be used for terrorism.

POTA links to AML reporting in several important ways. First, the FRC's goAML system includes terrorism financing (TF) indicator codes separate from money laundering indicators, and selecting a TF indicator on an STR submission triggers enhanced reporting requirements and priority handling by the FRC's CTF unit. Second, POTA imposes a positive obligation on financial institutions to freeze assets and accounts where the institution knows or has reasonable grounds to believe that a customer is a designated terrorist or a terrorism financing entity — an obligation that must be exercised without prior court order in some circumstances.

Third, POTA's definitions of terrorism financing are broad enough to capture transactions that a compliance officer might initially view as a commercial or economic matter rather than a security concern. Financing that supports an organisation engaged in terrorism — even if the specific funds are intended for ostensibly legitimate purposes — can be within scope. Compliance officers assessing whether a TF-indicator STR is required must apply POTA's definitions, not just their intuition about whether the customer "seems like a terrorist."

Training on the interface between POCAMLA and POTA is an area where many Kenyan compliance programmes are thin. Compliance officers should receive explicit instruction on: when POTA obligations are triggered, the difference between an ML-indicator STR and a TF-indicator STR, and the special obligations (including account freeze) that attach to TF-related suspicions.

CBK Prudential Guideline on Proceeds of Crime and Anti-Money Laundering

The Central Bank of Kenya has issued Prudential Guideline CBK/PG/09 on Proceeds of Crime and Anti-Money Laundering, which applies to all commercial banks and mortgage finance companies licensed by the CBK. This guideline provides operational detail on how CBK-regulated institutions should implement their POCAMLA obligations, including:

  • The minimum components of an institution's AML/CFT programme (policies, procedures, monitoring systems, training, internal audit, MLRO designation)
  • Standards for customer due diligence, including enhanced due diligence triggers and politically exposed person (PEP) requirements
  • Guidance on transaction monitoring systems and the escalation process for suspicious activity
  • Standards for the Compliance Officer/MLRO function, including minimum qualifications and reporting line requirements
  • Expectations for AML/CFT governance — board oversight, management information reporting, and internal audit coverage of AML/CFT

The CBK guideline does not replace POCAMLA — it supplements it with sector-specific detail for banking institutions. SACCOs operating with front-office service activities are supervised by SASRA, which has issued equivalent AML/CFT guidance under its regulatory framework. MFIs are supervised by CBK through the Microfinance Act regime.

For compliance purposes, an institution regulated by CBK must meet the requirements of both POCAMLA (as primary legislation) and CBK/PG/09 (as implementing guidance). Where the guideline is more prescriptive than the Act, the guideline sets the practical compliance standard.

Relationship Between FRC, CBK, NPS, and Related Bodies

The AML/CFT supervisory architecture in Kenya involves multiple agencies with overlapping but distinct mandates, and compliance officers benefit from understanding how these bodies interact.

The Financial Reporting Centre (FRC) is the primary AML/CFT supervisor for all reporting institutions across all sectors. It receives STRs and CTRs, conducts inspections and investigations, and has enforcement powers under POCAMLA. Every reporting institution — regardless of which sector it operates in — is subject to FRC oversight for AML/CFT purposes.

The Central Bank of Kenya (CBK) supervises banks, microfinance banks, forex bureaus, payment service providers, and money remittance providers under the Banking Act, the Microfinance Act, and the National Payment System (NPS) Act. The CBK's AML/CFT supervision runs alongside (not instead of) the FRC's, and CBK examination findings on AML/CFT are shared with the FRC.

The SACCO Societies Regulatory Authority (SASRA) supervises deposit-taking SACCOs and their front-office service activities. SASRA has AML/CFT supervisory responsibility for the SACCO sector and works in coordination with the FRC.

The Capital Markets Authority (CMA) supervises securities market participants — stockbrokers, investment banks, fund managers, and collective investment schemes — for AML/CFT compliance.

The Insurance Regulatory Authority (IRA) supervises insurance companies and intermediaries.

For institutions supervised by multiple bodies — for example, a bank that is regulated by CBK for prudential purposes and by the CMA for its investment banking activities — AML/CFT requirements from each supervisor apply simultaneously. There is no "primary supervisor" exemption in AML/CFT: FRC oversight applies regardless.

Who Is a "Reporting Institution" Under POCAMLA?

Full List of Covered Entities

POCAMLA Section 2, as amended, defines "reporting institution" broadly. The full list of entities covered includes:

Financial institutions:

  • Licensed commercial banks and mortgage finance companies (CBK)
  • Licensed microfinance banks and deposit-taking MFIs (CBK)
  • Building societies
  • Licensed forex bureaus and money changers (CBK)
  • Licensed money remittance providers and payment service providers (CBK/NPS)
  • Mobile money operators (Safaricom M-PESA, Airtel Money Kenya, T-Kash)
  • Deposit-taking SACCOs with front-office service activities (SASRA)
  • Credit reference bureaus handling financial transactions
  • Hire purchase and leasing companies
  • Collective investment schemes and fund managers (CMA)
  • Stockbrokers, investment banks, and securities dealers (CMA)
  • Insurance companies and brokers when handling policy premiums or investment-linked products (IRA)

Designated non-financial businesses and professions (DNFBPs):

  • Real estate agents (when acting as agent in real property transactions)
  • Advocates, notaries, and other independent legal professionals (when conducting designated transactions: managing client money, forming companies, purchasing real property)
  • Accountants, auditors, and tax advisers in public practice (when conducting designated transactions)
  • Casinos and betting companies (Betting Control and Licensing Board)
  • Dealers in precious metals, precious stones, and jewellery (above prescribed thresholds)
  • Dealers in motor vehicles (above prescribed thresholds under 2023 amendments)
  • Dealers in art, antiques, and luxury goods (above prescribed thresholds under 2023 amendments)
  • Trust and company service providers
  • Virtual asset service providers (VASPs) under 2023 amendments

The breadth of this list means that many organisations that do not think of themselves as "financial institutions" are in fact POCAMLA reporting institutions with full STR, CTR, CDD, and record-keeping obligations.

Agent Banking — When the Agent vs. the Principal Is the Reporting Entity

Agent banking has created structural complexity for POCAMLA compliance. Under the CBK's Agent Banking Guidelines, commercial banks may engage third parties (retail outlets, post offices, supermarkets) as agents to conduct specified banking transactions on the bank's behalf.

The POCAMLA reporting obligation sits with the principal — the licensed bank — not the individual agent. Agents are acting as an extension of the bank's channel network, and the bank remains responsible for ensuring that transactions conducted through its agents are captured in its threshold monitoring and suspicious activity detection systems.

However, this does not mean agents are completely outside the POCAMLA framework. If an agent independently provides financial services beyond its agency mandate, or if the agent operator is independently a reporting institution (for example, a supermarket chain that also offers its own stored-value product), then separate reporting obligations may arise.

The practical consequence for banks is that their AML/CFT monitoring systems must integrate agent transaction data with branch and digital channel data. A bank that can only see its branch transactions is blind to a significant portion of its customer activity.

Exemptions and De Minimis

POCAMLA does not provide broad exemptions from the reporting regime, but several categories of transactions and institutional relationships receive different treatment:

  • Interbank transactions: Transactions between regulated reporting institutions for their own account (not on behalf of customers) are not subject to the standard CTR threshold, though suspicious activity reporting obligations still apply
  • Government payments: Certain prescribed government receipts and payments may be treated differently — compliance officers should consult FRC guidance notes for current applicable exemptions
  • Intra-group transactions: Transactions between entities within the same financial group, where both entities are reporting institutions, are treated more leniently in some respects, though suspicious activity reporting obligations remain
  • Low-risk products: Certain financial products designated as low-risk (some basic bank accounts with strict transaction limits) may be subject to simplified CDD requirements, though not exempted from suspicious activity reporting

The FRC has emphasised that institutions should not apply exemptions expansively. When in doubt about whether a transaction or relationship falls within an exemption, the safer compliance position is to apply the standard CDD and reporting requirements.

STR Obligations Under POCAMLA

Section 12 — The Duty to Report

POCAMLA Section 12 imposes the primary STR obligation on reporting institutions:

"A reporting institution shall, within the prescribed period, report to the Centre a transaction or a series of transactions if the reporting institution has reasonable grounds to suspect that the transaction or series of transactions involves proceeds of crime or is connected to money laundering, terrorism financing, or any other unlawful activity."

The obligation in Section 12 is not permissive — it is mandatory. A reporting institution does not have discretion to decide whether to file an STR once it has formed reasonable grounds for suspicion. The formation of suspicion creates an immediate legal duty.

Section 12 also covers "a series of transactions" — meaning that a pattern of individually unremarkable transactions can collectively trigger an STR obligation, even if no single transaction is independently suspicious.

What "Suspicion" Means — Reasonable Grounds vs. Certainty

One of the most common compliance misunderstandings in Kenya is the belief that a compliance officer must be certain — or close to certain — that money laundering is occurring before filing an STR. This is incorrect and contrary to POCAMLA's clear wording.

The standard is "reasonable grounds to suspect" — a substantially lower bar than certainty or even probability. Reasonable grounds exist when there is an objective, articulable basis for suspicion: specific facts about the transaction, the customer, or the pattern of activity that a reasonable compliance professional would find concerning. The compliance officer does not need to have investigated and confirmed the suspicion. She does not need to know how the money laundering scheme works. She needs to have a rational, fact-based reason to think that the transaction may be connected to money laundering or a related offence.

Factors that typically constitute reasonable grounds include: transactions inconsistent with the customer's stated business; unusual transaction structuring; transactions involving sanctioned jurisdictions or sanctioned persons; customer reluctance to explain the source of funds or purpose of transactions; patterns that match known typologies; and customer information that does not withstand basic verification.

Filing an STR where reasonable grounds exist is a protected act under POCAMLA — the reporting institution and its officers have statutory immunity from civil liability for making the report in good faith. Failing to file an STR where reasonable grounds exist exposes the institution and its officers to criminal liability.

3-Day Filing Window From Formation of Suspicion

The prescribed period for STR filing under POCAMLA is 3 days from the date on which the reporting institution forms the suspicion. This deadline is measured in calendar days, not business days — weekends and public holidays count.

The clock starts when a compliance officer forms the suspicion, not when the investigation is concluded. This is deliberate: the FRC wants STRs filed promptly, while the transaction is fresh. An institution that investigates a suspicious transaction for two weeks and then files an STR at day 20 has breached the filing deadline regardless of the quality of the report it ultimately produces.

This has an important practical implication: the STR workflow must be designed to complete case preparation, internal review, approval, XML generation, and FIU submission within 3 calendar days. For institutions without automation, this is extremely challenging, particularly for complex cases. For institutions with an automated platform, where the case is pre-populated with transaction data and customer identity, and the compliance officer's task is review, narrative drafting, and approval, 3-day filing is operationally achievable for the vast majority of cases.

Mandatory STR Content: Narrative, Indicators, Subject ID

A complete and valid STR must contain:

Subject identification:

  • Full legal name as on identity document
  • National ID number (8-digit for Kenyan nationals), or Passport (for non-nationals)
  • Huduma Namba where registered
  • Date of birth
  • Physical address (including county)
  • Occupation or nature of business
  • Tax PIN (KRA PIN) — strongly recommended; required for business customers
  • Relationship to the reporting institution (account holder, third-party beneficiary, etc.)

Transaction detail:

  • All transactions connected to the suspicious activity
  • For each transaction: amount, currency, date, time, type, reference, branch/channel
  • Account numbers and types of all involved accounts
  • Counterparty details where identifiable

Indicators:

  • At least one goAML-coded indicator from the FRC's approved taxonomy
  • Indicators must accurately characterise the type of suspicious behaviour (structuring indicators, TF indicators, PEP indicators, etc.)

Narrative:

  • A factual, specific, and sufficient account of the basis for suspicion
  • Describing the transactions, explaining why they are inconsistent with the customer's profile, noting any customer explanation received and its inadequacy, and connecting the behaviour to a typology where possible
  • For TF-indicator STRs: enhanced narrative with specific reference to the TF typology, any connections to designated persons or entities, and any account restriction actions taken

Tipping-Off Prohibition (Section 17) and Its Criminal Consequences

POCAMLA Section 17 prohibits the disclosure to any person that a report has been or is about to be made to the FRC in respect of a transaction. Specifically, it is a criminal offence to:

  • Tell the subject of an STR that a report has been or will be filed in relation to their transactions
  • Tell any other person information from which the subject could deduce that a report has been filed
  • Disclose to any person that a money laundering investigation is being conducted by the FRC or law enforcement

The prohibition applies to all officers and employees of the reporting institution — not just the compliance team. A teller, relationship manager, branch manager, or call centre agent who mentions to a customer that "we had to report your account" has committed a criminal offence under POCAMLA.

Penalties for tipping-off under the 2023 amendments are substantial: up to KES 5,000,000 for an individual, and up to KES 10,000,000 for an institution, with additional criminal sanctions for wilful disclosure.

The practical training requirement is clear: all customer-facing staff must know that if a customer ever asks why their account has been frozen or why they are being asked for additional information, the correct response is to say that the bank cannot discuss the details for legal reasons — and immediately escalate to the compliance team. Under no circumstances should staff confirm or deny that a report has been filed.

CTR Obligations

USD 15,000 Threshold and Its Legal Basis

Kenya's Cash Transaction Report threshold is established under POCAMLA Section 44(6) and Regulation 40(1) of the Proceeds of Crime and Anti-Money Laundering Regulations, 2023 (POCAMLR). It requires every reporting institution to file a CTR with the FRC on every cash transaction equivalent to or exceeding USD 15,000 or its equivalent in any other currency, whether or not the transaction appears to be suspicious. The current threshold was introduced by the Anti-Money Laundering and Combating of Terrorism Financing Laws (Amendment) Act 2023 (effective 15 September 2023), which raised the figure from USD 10,000 to USD 15,000, and was operationalised by POCAMLR gazetted on 6 October 2023 and by Financial Reporting Centre Circular No. 4 of 2023 dated 19 October 2023.

The threshold applies to physical currency — banknotes and coins. It does not apply to electronic transfers, cheque deposits, or card transactions. Mobile money cash-in and cash-out transactions are treated as cash transactions for threshold purposes. See our Kenya CTR Threshold: The USD 15,000 Rule Explained for full technical detail on the threshold, foreign currency conversion, the FRC's position on same-day sub-threshold transactions, and the filing deadline.

Filing a CTR does not imply that the transaction is suspicious. The vast majority of CTRs involve entirely legitimate business activity — cash-intensive traders, supermarkets, petrol stations, pharmacies, and other businesses that routinely handle large amounts of physical cash. CTRs are a financial intelligence input, not an accusation.

Friday-of-Week Filing Requirement

Regulation 40(3)(c) of POCAMLR requires that the CTR be submitted to the FRC by the Friday of the week in which the qualifying transaction was conducted, through the goAML application at https://goaml.frc.go.ke. The Financial Reporting Centre Circular No. 4 of 2023 confirms this position.

The deadline is calculated from the transaction date — the date the cash was deposited or withdrawn. A transaction on Monday must be reported by the same Friday (four business days); a transaction on Thursday gives effectively one business day to detect, prepare, approve, and submit.

This compressed window makes real-time or near-real-time threshold monitoring a practical necessity. Institutions that rely on weekly batch reviews of transaction data cannot reliably meet the Friday-of-week deadline without automation.

Same-Day Sub-Threshold Transactions: The FRC's Position

The FRC's position — set out in paragraph 4.3 of Financial Reporting Centre Circular No. 4 of 2023 — is that where multiple cash transactions are carried out in a day in a single account and each transaction individually falls below the reporting threshold, the reporting institution shall not aggregate those transactions for CTR purposes. A CTR is triggered by an individual cash transaction at or above the USD 15,000 equivalent.

Where the pattern of sub-threshold transactions appears to be unusual or suspicious — for example, deliberate splitting to stay below the threshold — the institution's obligation is to file a Suspicious Transaction or Activity Report (STR/SAR) under POCAMLA and POCAMLR, not a CTR (Circular §4.4). This separates the two pathways clearly: CTR is per-transaction and objective; structuring monitoring is pattern-based and leads to an STR.

Effective implementation of both pathways requires: a centralised customer identifier (National ID or CIF) that is used consistently across all branches and channels; real-time or near-real-time transaction data across channels; per-transaction threshold detection against the USD 15,000 equivalent; and a separate structuring-pattern surveillance capability that surfaces cases for STR review.

Penalties for Non-Compliance

Criminal Penalties for Officers

POCAMLA imposes criminal liability on the officers and employees of reporting institutions who wilfully fail to comply with their reporting obligations. Specific criminal offences and penalties include:

  • Failure to report (STR/CTR): An officer who wilfully fails to make a required report faces up to 3 years imprisonment, or a fine not exceeding KES 1,000,000, or both
  • Tipping-off: An individual who discloses information that could identify or lead to the identification of a person who has made a report faces up to 3 years imprisonment or a fine not exceeding KES 5,000,000
  • Obstruction of the FRC: Obstructing an FRC officer in the exercise of their powers carries up to 2 years imprisonment
  • False reporting: Knowingly making a false or misleading report to the FRC carries up to 5 years imprisonment

The criminal liability of officers is personal. It does not require that the institution itself be convicted. A compliance officer who personally fails to file a required STR — or who instructs staff not to file — faces prosecution regardless of whether the institution takes any action.

Civil Penalties on Institutions

In addition to the criminal regime, POCAMLA as amended gives the FRC powers to impose administrative civil penalties on institutions. These penalties are imposed without the need for criminal prosecution and are calculated as follows:

  • For failure to register with the FRC: up to KES 500,000
  • For failure to file a required CTR or STR: up to KES 500,000 per violation, or up to 10% of the value of the transaction involved, whichever is greater
  • For failure to maintain required records: up to KES 500,000
  • For failure to conduct required customer due diligence: up to KES 500,000 per customer relationship
  • For provision of false information to the FRC: up to KES 1,000,000
  • For systemic or repeated failures: enhanced penalties with multipliers

The FRC has publicised several enforcement actions since the 2023 amendments, and the trend is toward more active use of civil penalty powers. Institutions that have historically viewed AML/CFT non-compliance as a low-risk administrative matter should revise that assessment.

CBK Supervisory Actions

For institutions supervised by the CBK, AML/CFT compliance failures identified during examination can trigger a range of supervisory responses beyond FRC penalties:

  • Formal direction: CBK issues a written direction requiring the institution to remedy the identified deficiency within a specified timeframe, with quarterly progress reporting
  • Composite risk rating downgrade: AML/CFT compliance is a component of the CBK's supervisory risk assessment. A downgrade can affect the institution's capital adequacy requirements and supervisory treatment
  • Enhanced supervision: Increased frequency of CBK inspection visits, with mandatory quarterly meetings between CBK supervisors and senior management
  • Business restrictions: Limitations on new product launches, branch openings, or customer onboarding until AML/CFT deficiencies are remediated
  • Consent orders: Public, legally binding agreements to remediate identified deficiencies, which become part of the institution's public regulatory record
  • Licence conditions: Conditions attached to the banking licence that restrict the institution's business activities
  • Licence revocation: In cases of extreme or persistent non-compliance, the CBK can revoke a banking licence — the most severe sanction in the supervisory toolkit

Case Examples of Enforcement in Kenya

While the FRC does not always publicise individual enforcement actions, several instances of regulatory action against Kenyan financial institutions for AML/CFT failures have become known through CBK press releases, court records, and industry reporting. These include:

  • A mid-tier bank receiving a formal CBK direction following an AML/CFT thematic examination that identified systemic failures in CTR filing — including a multi-year period in which the bank had filed zero CTRs despite operating high-volume cash businesses
  • A forex bureau operator having its CBK licence suspended pending investigation following FRC findings of failure to register and file required reports
  • A microfinance bank receiving an FRC administrative penalty following a pattern of late CTR filings identified during an FRC inspection

These examples illustrate that enforcement is not theoretical. The FRC and CBK are actively using their powers, and institutions should treat the compliance programme as a genuine operational necessity.

Customer Due Diligence as Prerequisite for Good Reporting

KYC Data Quality and Its Impact on XML Submission

Customer due diligence (CDD) and AML reporting are inseparable. The quality of the STR and CTR submissions your institution files through goAML is directly determined by the quality of the KYC data your institution holds on its customers.

If your KYC records lack a customer's National ID number, you cannot produce a schema-valid CTR XML for that customer. If your records contain an incorrectly formatted date of birth, the CTR will fail validation. If your address records contain only a post office box, you cannot satisfy the FRC's requirement for a physical address.

Many CTR and STR rejections at the FRC portal are not caused by problems with the transaction data — they are caused by poor underlying KYC data that cannot populate the mandatory XML fields correctly. Remedying this requires a KYC data quality programme, not just an XML generation improvement.

National ID and Huduma Namba Requirements

For Kenyan national customers, the National ID number is mandatory in every CTR and STR submission. The Kenya National ID is an 8-digit number printed on the national identity card. It must be entered without spaces, hyphens, or any prefix. Incorrect formatting is the single most common cause of individual field validation failures at the FRC portal.

The Huduma Namba — Kenya's national integrated identity management number — is accepted as an additional identifier where a customer has been registered. It does not replace the National ID; it supplements it. Institutions should capture the Huduma Namba at onboarding where the customer has one.

For foreign nationals, a Passport number is mandatory, along with the country of issue and expiry date. For corporate customers, the KRA PIN and Certificate of Incorporation number are mandatory.

Institutions should audit their KYC records regularly against these requirements. A periodic quality check that identifies customers whose National ID is missing, incorrectly formatted, or recorded only as a placeholder value will reveal the scope of the data quality problem before it manifests as a rejected submission.

Beneficial Ownership for Entities

Under the 2023 POCAMLA amendments, reporting institutions are required to identify and verify the beneficial owners of all legal entity customers — not just high-risk customers or those above specific thresholds. A "beneficial owner" for this purpose is any natural person who directly or indirectly owns or controls 25% or more of the entity, or who exercises effective control through other means (such as serving as a nominee director).

Beneficial ownership information must be captured at onboarding and updated whenever there is a change in the entity's ownership structure. For STR submissions involving a legal entity, beneficial ownership information must be included in the XML submission.

Many Kenyan financial institutions' KYC systems do not currently capture beneficial ownership data in a structured way — it may be noted in free-text fields, scanned document attachments, or not captured at all. The 2023 amendments make structured beneficial ownership data capture a regulatory requirement, and institutions that have not yet updated their onboarding systems to capture it must do so as a priority.

Enhanced Due Diligence Triggers

POCAMLA and the CBK's Prudential Guideline require enhanced due diligence (EDD) for certain categories of customer relationships and transactions. EDD triggers include:

  • Politically Exposed Persons (PEPs): Current or former senior public officials (domestic or foreign), their immediate family members, and known close associates require EDD — including enhanced verification of source of funds and source of wealth, senior management approval for onboarding, and ongoing enhanced monitoring
  • High-risk jurisdictions: Customers resident in or funds originating from jurisdictions on the FATF grey or black list, or on the FRC's high-risk country list, require EDD
  • Correspondent banking: Banking relationships with other financial institutions (particularly for cross-border payments) require EDD including assessment of the respondent institution's AML/CFT programme
  • Shell companies and complex ownership structures: Entities with complex or opaque ownership structures, or entities whose ultimate beneficial owner cannot be identified, require EDD
  • High-risk business types: Cash-intensive businesses, money service businesses, dealers in high-value goods, and businesses operating in sectors with known ML/TF risk profiles require EDD

EDD does not prevent an institution from serving these customers — it requires a higher standard of diligence, documentation, and ongoing monitoring. Critically, even customers who have passed EDD remain subject to suspicious activity monitoring and STR obligations.

Record-Keeping Obligations

5-Year Retention Requirement

POCAMLA requires reporting institutions to retain records of all transactions, customer identification and verification documents, business correspondence, and results of analysis related to suspicious activity for a minimum of 5 years from the date of the transaction or the end of the business relationship, whichever is later.

The 5-year retention period applies regardless of whether the transaction generated a CTR or STR. Every transaction must be recorded and retained. This requirement has significant implications for data storage and management — core banking systems must be configured to retain transaction history for at least 5 years, and KYC records must be retained for 5 years after the relationship ends.

For STR and CTR submissions, the FRC recommends that institutions retain copies of submitted XML files, submission receipts, and the case documentation (case notes, approval records, narrative drafts) for at least 5 years. This documentation must be producible on FRC request — institutions that cannot produce copies of their submitted reports risk a finding of record-keeping failure even if the reports were originally filed correctly.

Audit Trail Standards Under POCAMLA

POCAMLA and the CBK Prudential Guideline both require reporting institutions to maintain audit trails that evidence their compliance with AML/CFT obligations. The audit trail for an STR or CTR should demonstrate:

  • When the transaction occurred
  • When the threshold breach or suspicious activity was detected
  • When the case was escalated to the compliance function
  • When the compliance officer reviewed the case
  • When the report was approved by authorised management
  • When the report was submitted to the FRC
  • Whether the submission was accepted or rejected
  • If rejected, when the correction was made and resubmission filed

This level of documentation requires a systematic compliance management process — not ad hoc email chains or spreadsheets.

What Regulators Look for During Inspections

When the FRC or CBK conducts an AML/CFT inspection of a reporting institution, the examination team will typically request:

  • A sample of CTR and STR submissions from the past 12 months, with the case files showing the detection, review, and approval process for each
  • Evidence that all threshold-triggering transactions during the inspection period generated CTR cases — inspectors may pull transaction data from the core banking system and compare it to submitted CTRs
  • Statistics on filing timeliness — the average and distribution of days between transaction date and CTR submission, and between suspicion-formation date and STR submission
  • Training records for all compliance and customer-facing staff
  • Board and management reporting on AML/CFT programme performance
  • Policies and procedures for suspicious activity identification and escalation
  • Evidence of the internal audit function's coverage of AML/CFT

Institutions that can produce all of this documentation quickly, in organised form, from a compliance management system perform significantly better in inspections than those that must manually assemble records from email archives and spreadsheets.

Building a POCAMLA-Compliant Workflow

Analyst to Compliance Officer to Approval to Submission

A POCAMLA-compliant STR workflow should follow a structured, documented sequence:

Step 1 — Detection: A transaction monitoring alert is generated (for pattern-based suspicious activity) or a teller, relationship manager, or compliance analyst identifies a potential suspicious activity and creates a case.

Step 2 — Initial analysis: A compliance analyst reviews the alert, gathers relevant transaction history, customer profile information, and any available counterparty data. The analyst prepares an initial assessment noting the basis for suspicion.

Step 3 — Escalation decision: The analyst determines whether the case should be escalated as an STR, closed with documentation of the reason, or referred for enhanced due diligence before a filing decision is made. If the decision is to file, the analyst prepares the draft STR case including the narrative.

Step 4 — Compliance Officer review: The MLRO or a designated senior compliance officer reviews the draft STR — assessing the sufficiency of the basis for suspicion, the quality of the narrative, the accuracy of the indicator selections, and the completeness of the subject identification. The Compliance Officer approves or rejects the draft, with rejection accompanied by specific feedback for the analyst.

Step 5 — XML generation and pre-validation: The approved case is converted to goAML-schema XML and validated against the FRC's validation rules before submission.

Step 6 — Submission: The validated XML is submitted to the FRC goAML portal. Submission confirmation is logged in the case file.

Step 7 — Post-submission: The submission status (accepted or rejected) is recorded. Rejected submissions are corrected and resubmitted. Accepted submissions are archived with the complete case documentation.

Each step must be documented with timestamps and user identities. This documentation is the evidence that your compliance programme functions as designed.

Technology and Documentation Best Practices

The compliance workflow described above cannot be reliably implemented through manual processes at any scale. An automated compliance management platform:

  • Triggers case creation automatically from core banking alerts or manual notification
  • Pre-populates case fields with customer and transaction data from the core banking system
  • Guides the analyst through the required analysis steps with structured templates
  • Enforces mandatory field completion before escalation is permitted
  • Routes cases through the approval workflow with automated notifications
  • Generates schema-valid XML with pre-submission validation
  • Submits to the FRC portal and logs the submission confirmation
  • Maintains an immutable audit trail of every action, automatically

Beyond the workflow benefits, a compliance management platform also produces the management information that POCAMLA compliance requires: filing volume statistics, timeliness metrics, rejection rates, and outstanding case pipeline — all reportable to senior management and the board in real time.

Training Requirements for Staff

POCAMLA and the CBK Prudential Guideline require AML/CFT training for all relevant staff. The FRC's guidance on training requirements specifies:

  • All staff: Annual awareness training covering: what money laundering and terrorism financing are, why the institution is required to comply, what red flags look like in everyday transactions, and the tipping-off prohibition
  • Customer-facing staff: Additional training on CDD requirements, PEP identification, and the escalation process for suspicious activity
  • Compliance team: In-depth training on POCAMLA obligations, goAML reporting requirements, indicator taxonomy, narrative standards, and the approval workflow
  • Senior management and board: Training on governance obligations, management information requirements, and the consequences of non-compliance

Training records must document: the training programme content, the date delivered, the names and roles of attendees, and the results of any assessment or test conducted. These records must be available for inspection by the FRC and CBK.

The FRC has noted in inspection findings that many institutions provide annual awareness training but cannot demonstrate that the training content covered current regulatory requirements — particularly the 2023 POCAMLA amendments. Training programmes should be reviewed and updated following every significant regulatory change.

Build Your POCAMLA-Compliant Programme with Creodata

POCAMLA compliance in 2026 is not a compliance department issue — it is a business continuity issue. The penalties are real, the enforcement is active, and the reputational and correspondent banking consequences of being associated with AML/CFT failures are severe.

Building a genuinely POCAMLA-compliant AML reporting programme requires more than well-written policies. It requires a technology platform that automates threshold detection, enforces the reporting workflow, generates schema-valid goAML XML, and maintains an immutable audit trail that stands up to FRC inspection and ESAAMLG mutual evaluation scrutiny.

Creodata's goAML AML Reporting Platform is purpose-built for Kenya's regulatory requirements — handling the full compliance lifecycle from per-transaction USD 15,000-equivalent CTR detection through structuring-pattern surveillance, multi-level STR approval, FRC portal submission, and immutable case documentation. It is the same platform supporting institutions in Zambia, Uganda, Tanzania, and Rwanda, with country-specific profiles for each FIU.

See how Creodata transforms POCAMLA compliance — request your demo at creodata.com/demo.