STR Indicator Library: AML Typologies for Kenya Banks (2026)

April 18, 2026

Selecting the wrong indicator codes on an STR is not a minor administrative error. In the Kenya FRC's goAML system, indicator codes are the primary classification mechanism that routes your report to the correct FIU investigation team, determines the priority weight assigned to the case, and establishes the analytical framework within which FIU analysts assess the reported activity. An STR filed with indicator codes that do not match the actual transaction pattern may be deprioritized, investigated under the wrong typology, or result in a follow-up information request asking your institution to justify the code selection.

More seriously, systematically selecting incorrect or inadequate indicator codes in your institution's STR programme is a pattern that regulatory examiners notice. It suggests that your compliance analysts either do not understand the underlying AML typologies or are treating indicator selection as a checkbox exercise rather than a substantive analytical judgment. Both interpretations carry regulatory risk.

This article is a practical reference for compliance analysts at Kenyan financial institutions. It organizes the key AML typologies relevant to the Kenyan financial sector into five categories, describes the indicators within each, and provides guidance on the transaction patterns, narrative language, and goAML field alignment that each indicator requires.

How Kenya FRC Uses Indicator Codes

Indicator Codes in the goAML XML Schema

In the goAML XSD v5.0.2 schema, indicator codes are populated in the indicator_codes field of the STR report header. This field accepts a comma-separated list of code identifiers drawn from the Kenya FRC's approved indicator reference list. The field has a maximum length of 500 characters, which accommodates between 10 and 25 indicator codes depending on code length.

The indicator codes field is mandatory for Kenya FRC STR submissions. An STR submitted with an empty or absent indicator codes field will fail business rule validation (ERR_045). For the full mandatory fields reference, see goAML XML Schema v5.0.2: CTR and STR Mandatory Fields Reference.

The specific indicator code identifiers used by Kenya FRC are published in the FRC's guidance documentation and updated periodically. This article describes indicator categories and typologies in functional terms; compliance teams should cross-reference the current FRC code identifiers for exact code values before submitting.

How FIU Analysts Use Indicators to Prioritize STRs for Investigation

The Kenya FRC receives hundreds of STRs monthly from reporting institutions across the financial sector. Indicator codes are the first-pass triage mechanism. FIU analysts use indicator categories to assign reports to specialist investigation units:

Structuring and threshold avoidance reports go to the financial intelligence unit's transaction pattern analysis team
TF-indicator reports are escalated immediately to the counter-terrorism financing unit and, in Kenya's case, shared with relevant security agencies under intelligence sharing protocols
Real estate and beneficial ownership reports are routed to the asset-tracing unit with access to land registry and company registry databases
Trade finance reports may be referred to the FRC's international cooperation unit for engagement with foreign FIUs

An STR with accurate indicator codes reaches the right desk within 24–48 hours. An STR with vague or mismatched codes may circulate in the general queue for significantly longer.

Relationship Between Indicators and Narrative Content

Every indicator code you select must be supported by the narrative. This is a core quality standard in Kenya FRC's STR guidance: the narrative should describe the factual basis for each indicator selected, and no indicator should be coded without corresponding factual support in the narrative text.

The most common compliance failure is selecting a broad set of indicators to "cover all possibilities" without ensuring the narrative addresses each one. If you select a TF indicator but the narrative makes no mention of high-risk jurisdictions, sanctioned parties, or unusual cross-border patterns, the FRC will issue a follow-up request asking you to either substantiate or withdraw the TF indicator. This follow-up delays investigation and creates an evidence trail that your institution coded the report without adequate analytical basis.

The rule is simple: code what you can justify, and justify everything you code.

Category 1 — Structuring / Threshold Avoidance Indicators

Structuring — also known as smurfing — involves the deliberate breaking up of cash transactions into smaller amounts to stay below the USD 15,000 (or equivalent) CTR reporting threshold. It is one of the most common money laundering methodologies observed in Kenyan banking, and under Financial Reporting Centre Circular No. 4 of 2023 the correct reporting pathway for sub-threshold splitting is the STR, not an aggregated CTR.

Indicator 1.1 — Single-Customer Sub-Threshold Cash Deposits Description: Multiple cash deposits by the same customer on the same or consecutive days, each individually below the USD 15,000 equivalent, with no clear business justification for the pattern. Example pattern: Customer deposits the KES equivalent of USD 14,500 at 9:15 AM and USD 14,200 at 2:40 PM on the same day at the same branch. Neither individually reaches the threshold; the combined pattern is consistent with deliberate splitting. Narrative language: "Each individual transaction was below the USD 15,000 equivalent CTR threshold by [amount]. The pattern of sub-threshold deposits on [dates] is not consistent with the customer's declared income or account history and is consistent with deliberate threshold avoidance."

Indicator 1.2 — Multi-Branch Same-Day Sub-Threshold Deposits Description: The same customer conducts cash deposits at multiple branch locations on the same day, with each transaction below the USD 15,000 equivalent but the overall pattern suggesting deliberate geographic dispersal. Example pattern: Deposits of approximately USD 13,800, USD 13,500, and USD 14,100 equivalent at three different branches on the same day — none individually reaching the threshold, but collectively indicative of splitting. Narrative language: "The customer conducted [N] cash deposits at [N] separate branches within a [time period]. The use of multiple branch locations is consistent with deliberate geographic dispersal to avoid single-branch threshold monitoring."

Indicator 1.3 — Third-Party Structured Deposits (Smurfing Network) Description: Multiple different individuals each make cash deposits below threshold into the same account. The depositors are not regular account-related parties and provide inconsistent or no explanations when queried. Example pattern: Seven different individuals, none of whom are the account holder or known associates, each deposit amounts between USD 13,500 and USD 14,800 equivalent into a single business account over three days. Narrative language: "Deposits were made by [N] third parties, none of whom are authorized signatories or known beneficial parties to the account. The deposits are consistent with a smurfing arrangement in which multiple individuals are used to deposit structured amounts into a single account."

Indicator 1.4 — Structuring Immediately Following Account Opening Description: A newly opened account (less than 90 days old) receives structured cash deposits at high frequency, suggesting the account was opened specifically for the structuring scheme. Example pattern: Account opened 14 days ago receives structured deposits on 8 of the first 14 days, with individual amounts consistently between USD 13,200 and USD 14,900 equivalent. Narrative language: "The account was opened [N] days prior to the commencement of the transaction pattern. The immediate commencement of high-frequency sub-threshold deposits is consistent with an account opened specifically for the purpose of structured cash placement."

Indicator 1.5 — Round-Number Cash Withdrawals Structured Below Threshold Description: Repeated cash withdrawals in round numbers just below the threshold, inconsistent with the normal withdrawal pattern for the account type. Example pattern: Eight cash withdrawals of approximately USD 14,500 equivalent over 10 days from a business account that previously showed withdrawals averaging a small fraction of that amount. Narrative language: "The withdrawals are in consistent round-number amounts, each just below the USD 15,000 equivalent CTR threshold. The pattern represents a [X]-fold increase from the account's historical average withdrawal amount."

Indicator 1.6 — Currency Exchange Structured Below CTR Threshold Description: Multiple foreign currency exchange transactions, each below the USD 15,000 equivalent threshold, conducted at the same institution or spread across money transfer operators. Example pattern: Three USD-to-KES cash exchanges of USD 13,500, USD 13,800, and USD 14,200 on consecutive days — each below the threshold individually. Narrative language: "Each currency exchange cash transaction fell below the USD 15,000 equivalent CTR threshold. The pattern of [N] exchanges on consecutive days, totalling approximately [amount] in USD equivalent, is consistent with structured currency exchange to avoid CTR reporting."

Category 2 — Mobile Money Typologies (Kenya-Specific)

Kenya has one of the highest rates of mobile money penetration in the world. M-PESA alone processes over KES 40 trillion annually. This scale makes Kenya's mobile money infrastructure a significant money laundering vector, and the Kenya FRC has developed specific mobile money typologies that are unique to the East African financial environment.

Indicator 2.1 — Rapid Receive-and-Withdraw Pattern (Transit Account) Description: An account receives multiple M-PESA or mobile money transfers in rapid succession and withdraws 90%+ of the received funds within minutes to a few hours. The account shows no retention of funds and no identifiable commercial purpose. Example pattern: Account receives 12 M-PESA transfers totaling KES 1,800,000 between 08:00 and 11:30. By 13:00, KES 1,750,000 has been withdrawn via M-PESA cash-out at six different agents. Net account balance change: KES 50,000. Narrative language: "The account received [N] mobile money transfers totaling KES [amount] within [time period]. Within [time period] of receipt, [percentage] of the received funds were extracted via mobile money cash-out at [N] different agents. The account shows no identifiable commercial function and exhibits behavior consistent with a mule account used for mobile money layering."

Indicator 2.2 — Agent-Mediated Structured Deposits (M-PESA Agent Structuring) Description: Multiple M-PESA agents — or the same agent operating from different agent tills — deposit structured amounts into a bank account or mobile wallet over a short period. Often involves agents who are not known counterparties of the account holder. Example pattern: Fourteen M-PESA agent deposits ranging from KES 95,000 to KES 148,000 into a single account over three days, from agents in Nairobi, Nakuru, and Mombasa. Narrative language: "The deposits were made by [N] different M-PESA agents across [N] counties. Geographic dispersal across multiple cities combined with the sub-threshold individual deposit amounts is consistent with organized agent-mediated structuring."

Indicator 2.3 — Multiple SIM Card / Multi-Wallet Aggregation Description: A customer maintains multiple M-PESA lines or mobile wallets registered to different phone numbers but linked to the same National ID or bank account. Aggregate flows across all numbers exceed thresholds that would trigger reporting on any single number. Example pattern: Customer's National ID is associated with M-PESA wallets registered to three different phone numbers. Each wallet receives sub-threshold deposits; total across all three wallets is KES 3,200,000 in a single month. Narrative language: "National ID [number] is associated with [N] registered M-PESA lines. Aggregate incoming transfers across all [N] wallets in [period] total KES [amount] — the USD equivalent substantially exceeds the USD 15,000 reporting threshold. Individual wallet activity does not reach the threshold, but the aggregate pattern is consistent with deliberate fragmentation across multiple mobile identities."

Indicator 2.4 — Mobile-to-Real-Estate or Mobile-to-Investment Layering Description: Large aggregations of mobile money transfers are consolidated and immediately used to fund a property purchase, investment, or asset acquisition. No intermediate business activity explains the mobile money accumulation. Example pattern: Account accumulates KES 8,500,000 through 60+ mobile money receipts over 30 days, then issues a single banker's cheque to a property developer. Narrative language: "The account received [N] mobile money transfers totaling KES [amount] over [period]. Following accumulation of funds, a single outgoing payment of KES [amount] was issued to a property developer. No business activity consistent with this transaction volume is recorded in the customer's KYC or account history."

Indicator 2.5 — M-PESA Paybill / Till Number Misuse Description: A business M-PESA Paybill or Buy Goods till number receives volume that vastly exceeds the registered business's plausible operational revenue. Often linked to shell businesses or businesses with misrepresented turnover on account opening. Example pattern: A Paybill registered to a small retail grocery receives daily inflows averaging KES 850,000 — revenue consistent with a large supermarket, not a kiosk. Narrative language: "The Paybill number registered to [business name] received KES [amount] in [period], equivalent to an annualized revenue of KES [amount]. The stated business type ([type]) is not consistent with transaction volumes of this magnitude. The pattern is consistent with misuse of a legitimate-appearing business mobile money account as a placement vehicle."

Category 3 — Terrorist Financing (TF) Indicators

Terrorist financing indicators require the highest level of care in both selection and narrative. Under POCAMLA and Kenya's Prevention of Terrorism Act 2012, STRs involving TF indicators are subject to mandatory immediate escalation to the FRC and, where appropriate, to the National Counter Terrorism Centre (NCTC). Kenya FRC practice requires enhanced narrative (minimum 500 words) for all TF-indicator STRs.

Indicator 3.1 — Transactions to High-Risk Jurisdiction Counterparties Description: Incoming or outgoing transfers involving counterparties in jurisdictions on the FATF High-Risk and Other Monitored Jurisdictions list, or jurisdictions designated by Kenya's Cabinet Secretary for Internal Security as high-risk for terrorism financing. Applicable jurisdictions (as of publication): The current FATF list should be checked at submission time as it is updated three times per year. Known high-risk jurisdictions for Kenya-relevant TF risk have included Somalia (cross-border Al-Shabaab risk), certain Middle Eastern states, and high-risk jurisdictions identified in UN Security Council reports. Narrative language: "The [incoming/outgoing] transfer of KES [amount] to/from [counterparty name] in [jurisdiction] was received/initiated on [date]. [Jurisdiction] is listed as a high-risk jurisdiction for terrorism financing purposes. The transfer purpose provided by the customer ([stated purpose]) is not consistent with [specific reasons: customer profile, lack of business nexus to jurisdiction, etc.]."

Indicator 3.2 — NGO or Charity Funds Diversion Pattern Description: A registered non-governmental organization, charitable trust, or community-based organization receives donor funds or grants and exhibits a pattern suggesting funds are being diverted from their stated charitable purpose to individuals or organizations with possible TF connections. Example pattern: NGO registered for education development receives KES 5,000,000 in donor grants and makes 40 small cash withdrawals totaling KES 4,800,000 to individuals who are not on the NGO's declared staff list, within 30 days of receipt. Narrative language: "The organization received grant funds designated for [stated purpose]. In [period] following receipt, [percentage] of the funds were disbursed as cash withdrawals to [N] individuals who are not disclosed employees or contractors of the organization. The pattern is inconsistent with legitimate operational expenditure for a [type] NGO and is consistent with funds diversion."

Indicator 3.3 — Small-Amount Cross-Border Transfers to Conflict Zones Description: Regular small-denomination international transfers to individuals in active conflict zones or jurisdictions with significant non-state armed actor presence. Small amounts are used because they fall below the radar of transaction monitoring systems calibrated for large-amount wire transfers. Example pattern: Customer makes 15 wire transfers averaging USD 200 each to three different individuals in Southern Somalia over a 45-day period. Total: USD 3,000. No declared business nexus. Narrative language: "The customer made [N] cross-border wire transfers to [N] recipients in [jurisdiction] totaling [amount] in [period]. The transfer amounts are individually small but frequent. The customer has no declared business or personal nexus to [jurisdiction] in their KYC records. [Jurisdiction] has active non-state armed actor presence and has been cited in UN Security Council reporting as a source or transit jurisdiction for terrorism financing activity."

Indicator 3.4 — Sanctions Screening Potential Match Without Resolution Description: A customer or counterparty generates a sanctions screening alert against UN, OFAC, EU, or UK sanctions lists that has not been resolved to a confirmed non-match. Financial activity continues on the account while the screening alert remains open. Narrative language: "The customer's name generated a potential sanctions screening match against [list name] on [date]. The screening alert has not been resolved to a confirmed non-match as of the date of this report. The institution is reporting the financial activity on this account during the period of the unresolved alert as a precautionary measure under Section 19 of POCAMLA."

Indicator 3.5 — Fundraising Activity Linked to Designated Organization Description: An individual or entity account shows evidence of soliciting or collecting donations, contributions, or subscriptions from multiple parties, where the proceeds appear to be consolidated and forwarded to an organization associated with a designated terrorist group. Narrative language: "The account received [N] inward transfers from [N] different senders over [period]. The pattern of multiple small inbound receipts from diverse senders, followed by consolidated outbound transfers to [counterparty], is consistent with fundraising activity. [Counterparty] or its affiliated entities have been referenced in [regulatory guidance/UN reporting] in connection with [designated organization]."

Category 4 — Real Estate and Property Indicators

Real estate is consistently cited in FATF and Kenya FRC typology reports as one of the primary vehicles for integrating laundered funds in Kenya. Large property values, significant cash transaction norms in the informal property sector, and the involvement of intermediaries (lawyers, conveyancers) create opportunities for illicit funds to be absorbed into apparently legitimate transactions.

Indicator 4.1 — Cash-Intensive Property Purchase Description: A property purchase is funded entirely or substantially through cash deposits, without any mortgage, property finance, or traceable income source explanation. The cash amount is inconsistent with the customer's disclosed financial profile. Narrative language: "The customer made a cash deposit of KES [amount] followed immediately by issuance of a payment to [law firm/developer] described as property settlement. The deposit amount is not consistent with the customer's declared income of [amount]. No mortgage or property finance facility exists on the account."

Indicator 4.2 — Shell Company or Nominee Buyer Description: A property is purchased in the name of a company with no operational history, or a nominee director rather than the disclosed beneficial owner. The corporate structure appears to serve no business purpose other than to obscure the identity of the true buyer. Narrative language: "The property has been registered in the name of [company], incorporated [time] ago with no identified operational history. The payment was made from an account held by a separate company that shares a beneficial owner with [company]. The use of [N] corporate layers to hold a residential property for an individual is not consistent with a legitimate business purpose and is consistent with the use of corporate structures to obscure beneficial ownership."

Indicator 4.3 — Round-Number or Suspiciously Precise Transaction Amount Description: Property-related payments are in exact round-number amounts that do not reflect the customary structure of property conveyancing (which typically includes stamp duty, legal fees, and other disbursements that produce irregular totals). Round-number payments may indicate that the stated property value is a cover for a different underlying cash transfer. Narrative language: "The payment of KES [round amount] was described as full property settlement. Legitimate property transactions of this value would ordinarily produce a non-round payment total after inclusion of stamp duty, legal fees, and disbursements. The exact round-number amount is inconsistent with standard conveyancing practice."

Indicator 4.4 — Mismatch Between Property Value and Customer Financial Profile Description: A customer whose KYC records and account history reflect modest income or business activity purchases a property whose value substantially exceeds any plausible savings or borrowing capacity based on their financial profile. Narrative language: "The customer's declared annual income is KES [amount] and account history reflects cumulative deposits of KES [amount] over [period]. The property purchased has a registered value of KES [amount], representing [N] times the customer's annual income and [N] times total historical account deposits. The customer has not disclosed any asset sales, inheritance, or other source of funds that would explain the purchase capacity."

Category 5 — Trade Finance and Cross-Border Indicators

Trade-based money laundering (TBML) is a sophisticated typology in which illicit funds are moved across borders through manipulated trade transactions. Kenya's position as a regional trade hub — with significant import flows through Mombasa and cross-border trade with Uganda, Tanzania, DRC, and Somalia — makes TBML an important typology for Kenyan banks with trade finance portfolios.

Indicator 5.1 — Over-Invoicing or Under-Invoicing Description: A letter of credit, trade finance facility, or import/export payment contains documentation where the invoiced value of goods is materially inconsistent with prevailing market prices for the described commodity type, quantity, and quality. Over-invoicing is used to move excess funds out of a jurisdiction; under-invoicing brings funds in. Narrative language: "The invoice presented for [commodity] at [price per unit] is materially inconsistent with current market pricing for [commodity] of [specification]. Reference pricing sources indicate market value of [price range]. The [over/under] statement of invoice value by approximately [percentage] is consistent with over/under-invoicing as a mechanism for [export/import] of funds."

Indicator 5.2 — Correspondent Bank Layering Description: A payment originates from or is directed to an unregulated or high-risk correspondent banking relationship, passes through multiple correspondent banks in jurisdictions with weak AML controls, or uses a correspondent chain that obscures the ultimate originator or beneficiary. Narrative language: "The payment passed through [N] correspondent banks in [jurisdictions]. The use of correspondent chains through [specific jurisdictions with known AML deficiencies] to process a payment to/from [destination] is not consistent with a standard commercial banking route for this transaction type and introduces opacity regarding the ultimate originator/beneficiary."

Indicator 5.3 — Ghost Shipment or Phantom Goods Description: A trade finance transaction references goods that cannot be verified through shipping documentation, customs records, or physical delivery. The transaction generates financial flows without corresponding movement of goods. Narrative language: "The bill of lading referenced in the letter of credit could not be verified against Mombasa Port Authority records for the stated vessel and voyage date. No customs declaration corresponding to the described cargo was identified in available records. The payment of KES [amount] for goods whose physical delivery cannot be substantiated is consistent with a ghost shipment structure used to justify cross-border fund movement."

Indicator 5.4 — High-Risk Country Exposure in Trade Finance Description: A trade finance facility involves counterparties, transit ports, or ultimate destination countries on high-risk jurisdiction lists, combined with other anomalies such as unusual commodity types, new customer relationships, or inconsistent documentation. Narrative language: "The trade finance transaction involves [goods/counterparty/transit] in [high-risk country]. [Country] is on the [FATF/UNODC/equivalent] high-risk list for [ML/TF/proliferation financing]. Combined with [additional anomaly], the transaction presents an elevated risk profile that warrants reporting."

Selecting the Right Indicators — Decision Framework

When a compliance analyst identifies a suspicious transaction, the indicator selection process should follow a structured analytical path:

Step 1 — Identify the Cash Flow Direction and Type Is this a cash placement event (deposits, mobile money receipts), a layering event (transfers, conversions, movement between accounts), or an integration event (property purchase, investment, high-value asset acquisition)? The phase of ML activity shapes which indicator categories apply.

Step 2 — Identify the Transaction Channel Was the activity conducted through branch cash, mobile money, wire transfer, or trade finance? Channel-specific typologies (mobile money categories for M-PESA transactions, trade finance categories for LC/trade facilities) should be the primary indicator candidates.

Step 3 — Assess Customer Profile Consistency Does the transaction pattern match the customer's declared income, occupation, business type, and account history? The degree of inconsistency determines whether structuring, unexplained wealth, or beneficial ownership indicators apply.

Step 4 — Check for High-Risk Jurisdiction or Entity Connections Is any counterparty, transaction corridor, or associated entity connected to a high-risk jurisdiction or sanctioned party? If yes, TF and cross-border indicators must be considered and the TF escalation protocol applies.

Step 5 — Select Indicators and Verify Narrative Coverage For each indicator you select, confirm that your narrative contains at least one specific factual statement supporting that indicator. Remove any indicator not supported by the narrative. Add narrative content for indicators you have initially omitted where the facts support them.

Indicators and Narrative Alignment

Every Indicator Must Be Supported by the Narrative

The quality standard for Kenya FRC STR submissions is that every indicator code in the indicator_codes field must correspond to a factual description in the reason field narrative. This is not a bureaucratic requirement — it reflects the analytical integrity of the report. An indicator code without narrative support tells the FIU that your institution has labeled an activity without explaining it.

Mismatched Indicators Cause FRC Follow-Up Requests

The FRC's review process specifically checks for alignment between indicator codes and narrative content. Reports with TF indicator codes but no TF-relevant narrative are flagged immediately. Reports with real estate indicator codes but no property transaction description prompt information requests. These follow-ups consume compliance team time and create regulatory documentation of analytical inadequacy.

Using a Platform Indicator Library to Standardize Selection

A purpose-built AML reporting platform maintains a curated indicator library aligned with current Kenya FRC guidance. Compliance analysts select indicators from the library by category, and the platform:

Displays the narrative requirements for each selected indicator
Flags narrative gaps where an indicator has been selected but the narrative does not address the corresponding typology elements
Ensures indicator codes in the XML match the current FRC-approved code identifiers exactly
Maintains an audit trail of indicator selection decisions for regulatory examination purposes

This systematic approach eliminates indicator code errors, reduces follow-up request rates, and ensures your STR programme reflects current AML typology knowledge.

Strengthen Your STR Programme with Better Indicator Analysis

The indicators and typologies in this library represent the current landscape of AML risk relevant to Kenyan financial institutions. Keeping this knowledge current — and applying it consistently across your compliance team — is the difference between an STR programme that genuinely supports financial crime investigation and one that generates paper compliance without analytical substance.

Creodata's goAML platform includes a built-in, Kenya FRC-aligned indicator library, narrative completeness scoring, and automated alignment checks between selected indicators and narrative content. Every STR your institution files is analytical, consistent, and defensible.

Book a demo to see the indicator library and STR workflow in action.

Request a Demo → https://www.creodata.com/demo

Related articles: