Rwanda FIC goAML Reporting: A Practical Guide for Banks
Rwanda runs the youngest financial intelligence regime in the East African Community — and one of the fastest-moving. The Financial Intelligence Centre (FIC) only became operational in December 2020, yet by mid-2026 Rwanda has rebuilt its core AML statute (Law N° 028/2023), stood up a UNODC goAML portal for electronic reporting, published a national risk assessment, taken the ESAAMLG chairmanship, expanded the FIC's powers by a January 2025 amendment, and brought a virtual-asset law into force. The direction of travel is unmistakable: Kigali is building an international financial centre, and the compliance infrastructure is being professionalised to match.
For compliance officers, the operational picture is exacting in ways that differ from neighbouring markets: suspicious transaction reports are expected within 24 hours under FIC guidance, cash transaction reporting runs on sector-specific thresholds rather than a single national figure, and the 2024 ESAAMLG mutual evaluation — which rated Rwanda's STR laws Compliant but its effectiveness mostly Low, and noted that STR volumes actually fell 28% between 2022 and 2023 — tells every reporting entity exactly where supervisory attention is heading: more reports, better reports, and from more sectors than just the banks.
This guide is a practical reference for Rwandan reporting persons: the legal framework, the FIC's goAML portal, CTR and STR requirements, identity and registry data, penalties, and how to run Rwanda's rules on the same platform you use across the region.
For regional context, see our companion guides: Kenya FRC goAML Reporting: Complete Guide, Uganda FIA goAML Reporting, Tanzania FIU goAML Reporting, and Zambia FIC goAML Compliance.
Rwanda's AML Legal Framework
From Police Reporting to an Independent FIC
Rwanda's financial intelligence function has been rebuilt from the ground up in five years. Before 2020, the predecessor Financial Investigation Unit sat under the Ministry of Internal Security, and reporting entities filed suspicious transaction reports to the Police and to the National Bank of Rwanda in parallel — an arrangement the ESAAMLG assessors politely described as having "created confusion."
Law N° 74/2019 of 29/01/2020 established the Financial Intelligence Centre as an independent body under the ministry responsible for finance. The FIC became operational in December 2020 and formally took over from the old unit in March 2021. Its governing statute today is Law N° 045/2021, amended by Law N° 002/2025 of 22 January 2025 — an amendment that expanded the Centre's monitoring and information-gathering powers, heightened reporting-entity obligations, and streamlined international cooperation.
One structural fact worth knowing: Rwanda is not yet a member of the Egmont Group of Financial Intelligence Units. The application process is underway, with FIU Mauritius and FIC South Africa as sponsors. Membership will further raise expectations on the quality of the financial intelligence the FIC receives — which is to say, on the quality of your institution's reports.
Law N° 028/2023 — the Current AML Statute
Rwanda's substantive AML/CFT/CPF law is Law N° 028/2023 of 19/05/2023 on the prevention and punishment of money laundering, financing of terrorism and financing of proliferation, which repealed and replaced the 2019 law. The obligations that drive day-to-day compliance sit in two articles:
- Article 30 — suspicious transaction reporting: a reporting person must "promptly" report suspicion or reasonable grounds for suspicion, covering attempted transactions, with no monetary threshold.
- Article 31 — cash transaction and wire transfer reporting at or above thresholds, with the thresholds, modalities, and time limits delegated to FIC regulations.
The detail lives in FIC regulations — principally Regulation N° 1 of 2022 and the AML/CFT Regulations N° 002/FIC/2023 issued in June 2023 — plus the FIC's STR guidance of July 2023 and the National Bank of Rwanda's Regulation N° 72/2023, which arms the central bank with administrative sanctions, up to and including licence withdrawal, for the institutions it supervises.
The 2024 Mutual Evaluation: Compliant Laws, Low Effectiveness
Rwanda's second-round ESAAMLG mutual evaluation (on-site mid-2023, report approved July 2024) produced a distinctive scorecard. On technical compliance, the reporting framework scored well — Recommendation 20 (STR reporting) was rated Compliant and Recommendation 29 (the FIU) Largely Compliant. On effectiveness, financial intelligence (Immediate Outcome 6) was the only outcome rated Moderate; the other ten were rated Low, and Rwanda was placed in enhanced follow-up.
The reporting-specific findings should shape every Rwandan compliance programme:
- STRs made up only about 15% of the reports the FIC received, and STR volumes fell 28% between 2022 and 2023
- Banks dominate filing; money transfer providers filed a few dozen reports; the entire DNFBP sector filed roughly five STRs in the review period
- Only about half of bank STRs were assessed as good quality, and FIC feedback to reporting entities was largely limited to acknowledgements
The August 2025 follow-up report re-rated several Recommendations upward, and Rwanda assumed the ESAAMLG chairmanship that same month — a reputational commitment that translates into domestic supervisory pressure. The FIC's late-2025 inspection sweep of the real estate sector is exactly what that looks like in practice.
The FIC and the goAML Portal
How FIC Rwanda Uses goAML
The FIC operates a UNODC goAML portal as its electronic reporting platform, with production at goweb.fic.gov.rw. At the time of the 2023 mutual evaluation on-site, STRs were still being filed by encrypted email and goAML had been purchased but was not yet operational; the portal has since gone live, and by early 2026 the FIC was running goAML reporting training for professional sectors. If your institution's procedures still describe email filing, they are out of date.
The portal accepts STR, SAR, CTR, and WTR (wire transfer report) types. Registration as a reporting organisation requires a copy of your regulator licence, the certificate of domestic company registration, and the compliance officer's appointment letter. Institutions building automated XML submission pipelines for CTR and WTR volumes are required to prove their files in the goAML testing environment before being authorised for production — a sensible gate that rewards getting schema validation right the first time.
Who Must Report
Article 7 of Law N° 028/2023 defines the reporting persons:
- Financial institutions — which, through Bank of Rwanda licensing, covers commercial banks, microfinance institutions and SACCOs, e-money issuers and mobile money channels, money remitters, and forex bureaus
- Advocates, notaries, and independent legal professionals when handling real estate transactions, client funds, or company formation and management
- Auditors, accountants, and tax advisors
- Real estate agents
- Dealers in precious metals and precious stones
- Persons in the business of distributing money
- Casinos and gaming halls of national lotteries
- Trust and company service providers
Non-profit organisations carry separate obligations under Article 43, and a Ministerial Order can extend the list. Note that virtual asset service providers are not yet listed as reporting persons — Rwanda's virtual-asset law only came into force in May 2026 (see below), and the FIC reporting obligations for VASPs are still taking shape.
Differences from Kenya FRC in Practice
- Sector-specific CTR thresholds. Unlike Kenya's single national threshold, Rwanda sets different cash-reporting lines per sector (see next section). Threshold logic must be configured per reporting-entity type, not per country alone.
- A 24-hour STR expectation. The FIC's published guidance sets the STR window at 24 hours — tighter than Kenya, in line with Tanzania, and far tighter than the multi-day windows many regional procedures assume.
- The newest portal in the region. Rwanda's goAML instance is the most recently deployed in the EAC; registration documentation requirements and the test-before-production gate are enforced strictly, and entities migrating from email-era procedures need to re-paper their processes.
- Identifiers. Rwanda uses the 16-digit NIDA National Identification Number for individuals and the RDB company code — which doubles as the RRA tax identification number — for entities.
CTR Thresholds: Sector-Specific by Design
The Threshold Table
Rwanda's cash transaction reporting thresholds are set by FIC regulation per sector. Under FIC Regulation N° 1 of 2022, the gazetted baseline figures are:
| Reporting context | Threshold (FRW) |
|---|---|
| Occasional clients (no business relationship) | above 10,000,000 |
| Financial institutions (excluding inter-bank/FI transfers) | 50,000,000 — but see the note below |
| Casinos | 3,000,000 |
| Dealers in precious metals and stones | 15,000,000 |
| Electronic money | 1,000,000 |
| Motor vehicle dealers | 60,000,000 |
An important caution on the financial-institution figure: the FIC issued updated AML/CFT Regulations (N° 002/FIC/2023) in June 2023, and the FIC's current published guidance lists the financial-institution cash reporting threshold at FRW 10,000,000 (excluding inter-bank transfers) — not the FRW 50 million in the 2022 regulation. Institutions should confirm the operative figure with the FIC directly and configure monitoring to the stricter reading until confirmed in writing. This is precisely the kind of moving regulatory detail that a maintained country-profile configuration exists to absorb.
Reports are due within two working days, and the aggregation rule is explicit: linked transactions that individually sit below the threshold but together exceed it are reportable as one. Separately, cross-border movements of cash or bearer negotiable instruments of FRW 10,000,000 and above must be declared at the border under the FIC's cross-border declaration regime.
What This Means Operationally
Sector-specific thresholds make Rwanda the clearest case in the region for configuration-driven monitoring. A banking group with an e-money subsidiary and an insurance arm faces three different reporting lines in one country. Hard-coding "the Rwanda threshold" into detection logic is a design error; the threshold is a function of the reporting entity's sector, the client relationship type, and the transaction channel.
STR Filing Requirements
Prompt Means 24 Hours
Article 30 of Law N° 028/2023 requires reports to be made "promptly," covers attempted transactions, and applies regardless of amount. The time limit is set by FIC regulation and guidance: the FIC's published position is that suspicious transactions are reported within 24 hours of forming the suspicion. Build your alert-escalation-narrative-approval workflow to that clock. As elsewhere in the region, the clock starts at suspicion, not at the end of an internal investigation — and Rwanda's penalty provisions (below) make slippage expensive.
Typologies the FIC Expects You to Detect
Rwanda's first National ML/TF Risk Assessment (published November 2024) rates the country's overall ML risk as Medium-Low, with the highest exposure in banking, e-money issuers, and forex bureaus, and proceeds laundered predominantly through banking and real estate. Monitoring rules in a Rwandan deployment should be calibrated to:
- Real estate — the FIC's enforcement focus sector, inspected in late 2025; watch cash-intensive purchases and layering through property
- Gold and 3TG minerals trade — trade-based laundering and beneficial-ownership opacity, including proceeds of illegal mining in the DRC moving through Rwandan trade channels
- E-money and remittance corridors — rated more susceptible to terrorism financing; structuring below the FRW 1 million e-money threshold is the obvious pattern
- Cross-border cash — the FRW 10 million declaration line and the porous-border realities of the region
- Casinos — the FRW 3 million threshold exists because the sector is on the FIC's radar
Close the DNFBP Gap Before the FIC Closes It for You
The mutual evaluation's starkest number — roughly five STRs from the entire DNFBP sector — guarantees where supervision goes next, and the FIC's professional-sector goAML training drives in 2026 confirm it. Law firms, accountants, real estate agencies, and dealers in precious metals that have never filed are not invisible; they are conspicuous. For these entities, the practical blocker is usually tooling: no transaction monitoring, no XML capability, no case workflow. That is a solvable problem, and solving it before the first FIC inspection is dramatically cheaper than after.
Identity, Registry, and Data Requirements
NIDA, RDB, and the Shared Company Code
For individuals, the primary identifier is the National Identification Number issued by NIDA — a 16-digit number — with passports for foreign nationals. FIC Regulation N° 1 of 2022 lists the acceptable identification documents: passport, identity card, driving licence, and, for entities, the certificate of incorporation.
For legal entities, Rwanda has a simplification its neighbours lack: the RDB company code assigned at incorporation doubles as the RRA tax identification number. One identifier serves both the company registry and the tax authority — capture it once at onboarding, validate it, and carry it into every goAML entity record.
Penalties Snapshot
| Obligation | Provision | Exposure |
|---|---|---|
| Failure to submit an STR, tipping off, destroying records, filing knowingly false documents | Law 028/2023, Art. 61 | 2–5 years' imprisonment + fine of FRW 2–5 million (applies to board members, senior managers, and employees personally) |
| Money laundering | Art. 54 | 10–15 years + fine of 3–5× the value laundered |
| Terrorist financing | Art. 55 | 20–25 years + fine of 3–5×; life imprisonment if death results |
| Failure to register with the FIC | FIC Reg. 1/2022, Art. 5 | Administrative fine up to FRW 10 million |
| Supervisory breaches (BNR-regulated institutions) | BNR Regulation N° 72/2023 | Administrative sanctions up to licence withdrawal |
The Article 61 design is worth a board briefing: STR failures attach criminal liability to the individuals involved — board members and senior managers included — not just the institution.
What Changed in 2023–2026: A Compliance Officer's Shortlist
- May 2023 — Law N° 028/2023 replaces the 2019 AML law.
- June–July 2023 — FIC Regulations N° 002/FIC/2023, the cross-border declaration regulation, FIC STR guidance, and BNR Regulation N° 72/2023 land in quick succession.
- July 2024 — ESAAMLG publishes Rwanda's second-round mutual evaluation: R.20 Compliant, effectiveness mostly Low, enhanced follow-up begins.
- November 2024 — first National Risk Assessment published.
- January 2025 — Law N° 002/2025 expands the FIC's powers.
- August 2025 — follow-up report re-rates four Recommendations upward; Rwanda assumes the ESAAMLG chairmanship for 2025/26.
- October 2025 — FIC Guidelines N° 002/2025 on transparency and beneficial ownership; FIC begins real-estate sector inspections.
- May 2026 — Rwanda's virtual asset business law is gazetted and in force: Capital Market Authority licensing for VASPs, prohibitions on unlicensed activity (penalties up to FRW 100 million for companies), crypto-ATMs and mixers restricted. FIC reporting obligations for the sector are the obvious next step — VASPs operating in Rwanda should build AML reporting capability now, not when the Ministerial Order lands.
Deploying an AML Platform for Rwanda
Country Profile Configuration, Not Custom Code
Rwanda is the strongest argument in the region for configuration-driven compliance tooling. A correct Rwanda country profile holds: sector-specific CTR thresholds (with the FI-threshold question tracked as a configuration item pending FIC confirmation), the two-working-day CTR window and linked-transaction aggregation, the 24-hour STR clock, NIDA NIN (16-digit) and RDB-code identifier validation, the goAML report-type set (STR, SAR, CTR, WTR), and the goweb.fic.gov.rw submission target with its test-before-production gate. When the FIC updates a threshold or issues new guidelines — as it has done repeatedly since 2023 — the profile updates; your deployment doesn't change.
Multi-Country East African Operations
A banking group operating across Rwanda, Kenya, Uganda, and Tanzania faces four FIU portals, four threshold regimes in three currencies plus sector-specific lines, and STR clocks ranging from 24 hours to multiple days. One platform with per-country profiles gives the regional compliance function a single view of filing performance and SLA risk, while each country team files against its own FIU's rules.
Creodata's goAML platform ships with a Rwanda (FIC) country profile maintained by our compliance technology team, alongside profiles for Kenya (FRC), Uganda (FIA), Tanzania (FIU), and Zambia (FIC).
Compliance Checklist for Rwandan Reporting Persons
1. FIC Registration: Your institution is registered on the FIC's goAML portal with the required documents (regulator licence, RDB certificate, compliance officer appointment letter), and your compliance officer details are current.
2. Sector-Correct Thresholds: Your CTR detection applies the right threshold for your sector and client type — and you have written FIC confirmation of the operative financial-institution figure, with monitoring set to the stricter reading meanwhile.
3. Aggregation: Linked sub-threshold transactions are aggregated and reported when they jointly exceed the threshold, across branches and channels.
4. Two-Working-Day CTR Window: CTRs and WTRs reach the FIC within two working days, with acknowledgements retained.
5. 24-Hour STR Process: Your alert-to-filing workflow completes within 24 hours of suspicion being formed — including attempted transactions, with no minimum amount — and the timestamps prove it.
6. Test-Environment Discipline: Automated XML pipelines are validated in the goAML test environment, and schema validation runs before every production submission.
7. Identity Data: 16-digit NINs for nationals, passports for foreigners, RDB company codes for entities — captured at onboarding, validated, and flowing into goAML XML without re-keying.
8. Typology Coverage: Rules calibrated to Rwanda's risk profile: real estate, gold and minerals trade, e-money structuring, cross-border cash, and casino patterns.
9. Beneficial Ownership: Entity records meet the FIC's 2025 transparency and beneficial ownership guidelines, and ownership data appears in STR entity records.
10. Audit Trail: Every report has an immutable record of who detected, reviewed, approved, and submitted it — the evidence base for FIC inspections and the personal-liability protection your approvers will want under Article 61.
Deploy Rwanda-Ready goAML Reporting with Creodata
Rwanda built a modern FIU in five years, took the regional chairmanship, and is now supervising with intent — while its rulebook keeps moving: new law in 2023, new regulations and guidance through 2025, a virtual-asset regime in 2026, and an Egmont application in progress. Compliance processes built on email-era assumptions and a single hard-coded threshold will not survive contact with that pace of change.
Creodata's goAML AML Reporting Platform includes a fully configured Rwanda country profile: sector-specific threshold monitoring with linked-transaction aggregation, 24-hour STR workflow with SLA tracking, NIDA and RDB identifier validation, goAML XML generation validated against the schema before submission, and test-to-production submission discipline built in. One platform across Rwanda, Kenya, Uganda, Tanzania, and Zambia — one audit trail, every jurisdiction.
See the Rwanda configuration in action — request your demo.