Creodata Solutions Logo

Uganda FIA goAML Reporting: A Practical Guide for Banks

June 10, 2026

Uganda's AML/CFT regime has matured fast. The country exited the FATF grey list on 23 February 2024 after fully implementing its action plan, the Financial Intelligence Authority (FIA) issued a new goAML-centric Suspicious Transaction Report Guidance Note effective 1 December 2024, and successive ESAAMLG follow-up reports have re-rated Uganda upward — with suspicious transaction reporting (FATF Recommendation 20), rated Non-Compliant back in the 2016 mutual evaluation, now rated Compliant. Uganda remains in ESAAMLG enhanced follow-up, which means the supervisory pressure that produced those upgrades has not gone away.

For compliance teams at Ugandan banks, mobile money and remittance providers, forex bureaus, insurers, and the rest of the "accountable persons" list, the operational reality is goAML: registration, large cash transaction reporting at the UGX 20 million threshold, and STRs filed within two working days of suspicion — all through the FIA's portal, all backed by administrative penalty powers of up to UGX 750 million.

This guide is a practical reference for Ugandan reporting entities: the legal framework, the FIA's goAML platform, cash reporting thresholds, the STR deadline, identity and data requirements, recent regulatory changes through 2026 — and how to run Uganda's rules on the same platform you use across the region.

For regional context, see our companion guides: Kenya FRC goAML Reporting: Complete Guide, Tanzania FIU goAML Reporting, and Zambia FIC goAML Compliance.

Uganda's AML Legal Framework

The Anti-Money Laundering Act (Cap. 118)

Uganda's core statute is the Anti-Money Laundering Act, 2013 — cited under the 2023 revised edition of the laws as Cap. 118. Part IV of the Act establishes the Financial Intelligence Authority as a body corporate headquartered in Kampala, with a mandate to enhance the identification of proceeds of crime, ensure compliance with the Act, analyse the reports it receives, and exchange information with competent authorities at home and abroad. The FIA became operational in July 2014 and was admitted to the Egmont Group of Financial Intelligence Units on 3 July 2019.

The Act has been amended several times, and the amendments matter operationally:

  • AML (Amendment) Act, 2017 — rewrote the STR obligation (section 9), added protection for the identity of reporting persons, and set the cross-border currency declaration regime (declarations to the Uganda Revenue Authority above 1,500 currency points, i.e. UGX 30 million).
  • AML (Amendment of Second Schedule) Instrument, 2020 — added virtual asset service providers to the accountable persons list.
  • AML (Amendment) Act, 2022 — introduced administrative penalties of up to 37,500 currency points (UGX 750 million), imposable whether or not the same conduct is prosecuted, and extendable personally to officers, directors, or agents who directed, authorised, or acquiesced in the conduct.
  • AML (Amendment of Schedule 2) Instrument, 2025 — made on 5 February 2025, this removed NGOs, churches, and other charitable organisations from the accountable persons list, aligning Uganda with FATF's risk-based approach to non-profits.

Subsidiary legislation — principally the AML Regulations, 2015, as amended in 2022 and 2023 — supplies the forms (Form A for cash transaction reports, Form B for suspicious transactions) and supervisory powers.

FATF and ESAAMLG: From Grey List to Compliant Ratings

Uganda has been through two FATF monitoring episodes: an earlier one beginning in 2014 (when establishing a fully operational FIU was itself an action item), and the February 2020 grey listing, which focused on risk-based supervision, beneficial ownership access, ML prosecutions, asset confiscation, and targeted financial sanctions. Uganda completed that action plan and exited the grey list on 23 February 2024.

The ESAAMLG trajectory tells the supervisory story: the 2016 mutual evaluation rated R.20 (STR reporting) Non-Compliant, citing legal-framework gaps and low effectiveness in the use of financial intelligence. A decade of follow-up reports later, R.20 is rated Compliant and the March 2026 follow-up re-rated still more Recommendations upward — but Uganda remains in enhanced follow-up, and the FIA's recent circulars (including Circular No. 13 of February 2026 on FATF high-risk jurisdictions) show an authority actively supervising through its goAML message channels.

The FIA and the goAML Portal

How FIA Uganda Uses goAML

The FIA's registration and reporting platform is UNODC goAML, with the production portal at goaml.fia.go.ug. Every accountable person must register as a reporting entity on the portal before filing; the FIA reissued mandatory online registration guidelines in January 2024 and runs a dedicated goAML helpdesk.

The rollout has been phased over several years — banks and forex bureaus first (forex bureaus were onboarded in a dedicated 2020 exercise), then insurers and investment funds, with the FIA publicly extending goAML e-registration to all accountable persons in late 2022. If your institution registered early, note that the FIA has since run user-data verification exercises on the platform; stale registrations are a compliance finding waiting to happen.

Uganda's goAML configuration accepts a wider set of report types than many neighbouring FIUs. Per the FIA's published XML schema documentation, these include suspicious transaction and suspicious activity reports (STR/SAR), large cash transaction reports (CTR/LCTR) and aggregated large cash reports (ALCTR), international wire transfer reports (IWTR), terrorism financing reports (TFR), and additional information files (AIF). The schema's funds-type codes explicitly cover mobile money and cryptocurrency — a clear signal of where the FIA expects reporting to come from.

Who Must Register and Report

The Second Schedule's "accountable persons" list covers, among others:

  • Financial institutions under the Financial Institutions Act, including commercial banks
  • Advocates, notaries, accountants, and other independent legal professionals
  • Casinos (including internet casinos), real estate agents, and dealers in precious metals and gems
  • Trust and company service providers, executors' boards, and trust administrators
  • Brokers, dealers, and investment advisers; insurance companies
  • Persons conducting listed financial activities — including transfer of money or value (formal and informal, expressly covering alternative remittance, which is the hook for mobile money and remittance operators), issuing and managing electronic money, lending, financial leasing, money and currency changing (forex bureaus), and portfolio management
  • Virtual asset service providers (since November 2020)
  • Registrars of Companies and of Land, the Uganda Investment Authority, and licensing authorities

Two list changes deserve attention. VASPs have been accountable persons since 2020 even though Uganda's dedicated virtual-asset legislation is still being developed — the FIA published its first national risk assessment on virtual assets and VASPs in February 2026. And since February 2025, NGOs, churches, and charitable organisations are no longer on the list; institutions that bank NPOs should still apply risk-based monitoring, but the NPOs themselves no longer carry accountable-person obligations.

Differences from Kenya FRC in Practice

  • Threshold design: Uganda's large cash reporting threshold is set in currency points (1,000 points = UGX 20 million) under section 8 of the Act — a shilling-denominated test, unlike Tanzania's USD-denominated rule, and a different value and currency from Kenya's.
  • STR clock: two working days from forming suspicion — tighter than Kenya's window, looser than Tanzania's 24 hours. Regional teams need per-country SLA timers, not one global default.
  • Report-type richness: Uganda's goAML accepts IWTR, TFR, and aggregated cash reports as distinct types; mapping your detection outputs to the correct report type is itself a configuration exercise.
  • Identifiers: Uganda uses the NIRA National Identification Number for individuals and URSB registration numbers for companies — with beneficial ownership filings at URSB mandatory since 2023, which your KYC data should mirror.

Cash Transaction Reporting: The UGX 20 Million Threshold

The Rule

Section 8 of the Act requires accountable persons to record every cash and monetary transaction — domestic or foreign currency — at the threshold of 1,000 currency points, where one currency point equals UGX 20,000. That sets the operative line at UGX 20 million (roughly USD 5,000–5,500 at recent rates). The Act's wording is "exceeding" the threshold, while the 2015 Regulations require filing for transactions "equivalent to or exceeding" it; the safe compliance posture is to treat UGX 20 million and above as reportable.

Records go on Form A, must be made the same day, and must be kept for ten years. Same-day multiple transactions by or on behalf of the same person are aggregated (section 8(3)). Copies of Form A are filed with the FIA — in practice, electronically through goAML as large cash transaction reports. The statute leaves the precise filing cadence to ministerial prescription, so institutions should follow the FIA's current goAML guidance on submission timing rather than assume a statutory grace period.

Foreign Currency and Cross-Border Movements

The threshold applies to transactions "in any currency", so US dollar and other foreign-currency cash transactions must be converted and tested against the UGX 20 million line. Separately, physically moving currency or bearer negotiable instruments above 1,500 currency points (UGX 30 million) across Uganda's borders triggers a declaration to the Uganda Revenue Authority — a distinct obligation under section 10 that feeds the FIA's cross-border declarations analysis stream.

Structuring Is Its Own Offence

Section 133 makes it an offence to structure or conduct transactions so as to avoid the reporting obligations. Detection rules should therefore watch the band just under UGX 20 million — repeated cash deposits of UGX 18–19 million are not a clever customer habit, they are a red flag the FIA's own guidance highlights.

STR Filing Requirements

The Two-Working-Day Deadline

Section 9 of the Act (as substituted in 2017) requires an accountable person that suspects, or has reasonable grounds to suspect, that funds are proceeds of crime or linked to money laundering or terrorism financing to report — regardless of the transaction's value, and including attempted transactions. Section 9(2) sets the clock: "without delay but not later than two working days from the date the suspicion was formed." The FIA's Guidance Note effective 1 December 2024 restates the same rule and directs filing through goAML. (The 2015 Regulations phrase the window as 48 hours; the Act's two-working-day formulation is the primary statement.)

As in every jurisdiction, the clock starts when suspicion is formed — not when the investigation is complete. A workflow where the alert queue, case file, narrative, and approval all live in one system is what makes a two-working-day SLA consistently achievable; assembling data from core banking, spreadsheets, and email threads is what makes it consistently missable.

Penalties Concentrate the Mind

The Act criminalises failure to report cash transactions (section 124) and failure to report suspicious transactions (section 125) — including negligent failure. Sanctions under section 136(2) run, for natural persons, to imprisonment of up to five years or fines of up to 33,000 currency points (UGX 660 million); for legal persons, fines up to 70,000 currency points (UGX 1.4 billion); and continuing offences attract up to 5,000 currency points (UGX 100 million) per day.

On top of the criminal track, the 2022 amendment gave the FIA and supervisory authorities administrative penalty powers up to 37,500 currency points (UGX 750 million) — imposable irrespective of prosecution, and reaching personally to directors and officers who authorised or acquiesced in the conduct. Supervisors can also issue compliance orders, ban individuals from sectors, and order the suspension or replacement of directors and management under the 2015 Regulations.

Typologies the FIA Expects You to Detect

Uganda's National ML/TF Risk Assessment (2023) and the FIA's December 2024 Guidance Note point monitoring rules at:

  • Real estate — a largely unregulated sector used to place proceeds of corruption, embezzlement, fraud, and tax crime
  • Gold and precious metals — smuggling and round-tripping risk through porous borders with the DRC and South Sudan, a theme ESAAMLG's regional typology reports document with Ugandan cases
  • Wildlife crime — trafficking in wildlife products, flagged since the 2016 mutual evaluation
  • Casinos and gaming — threshold-avoidance behaviour and chip cash-outs feature in the FIA's red-flag indicator sets
  • Mobile money and remittance corridors — value transfer (formal and informal) is expressly within the accountable-person definition, and Uganda's goAML schema carries mobile money as a funds type
  • Virtual assets — deposits converted to fiat and other VA patterns, ahead of dedicated VASP legislation
  • PEPs and corruption — proceeds of abuse of public resources remain a headline domestic risk

Narrative Quality

The FIA's Guidance Note pairs its red-flag library with an expectation that STR narratives substantiate the suspicion: the observed transactions, the customer profile mismatch, the explanation sought and why it failed, and the indicator or typology engaged. Reports that merely restate an alert rule do little for the FIA's analysts — and under a Compliant-rated R.20 regime, report quality is where supervisory attention now sits.

Uganda-Specific Data and Identity Rules

NIRA National Identification Number

Uganda's primary individual identifier is the National Identification Number issued by the National Identification and Registration Authority (NIRA) under the Registration of Persons Act, 2015. The NIN is a unique, lifetime, 14-character alphanumeric identifier (industry validation treats the first letter as C for citizens and A for registered aliens), and it is the value your goAML person records should carry for Ugandan nationals. Foreign nationals are identified by passport, with number, issuing country, and expiry captured. Uganda's goAML XML schema includes the standard person-identification block for these documents — populate it completely; identification gaps are a leading rejection and data-quality issue in every goAML jurisdiction.

URSB Registration and Beneficial Ownership

For legal entities, the Uganda Registration Services Bureau (URSB) registration number is the company identifier. Since the Companies (Amendment) Act 2022 and the beneficial ownership regulations issued in January 2023, companies and partnerships must file beneficial-owner information with URSB — and the registry stopped accepting other filings from entities without BO information on record. Your KYC files, and the entity records in your STR XML, should reflect the same beneficial ownership data; an STR naming a company without its owners is exactly the gap Uganda's grey-list action plan targeted.

What Changed in 2024–2026: A Compliance Officer's Shortlist

  • 23 February 2024 — Uganda exits the FATF grey list.
  • 1 December 2024 — new FIA STR Guidance Note takes effect: goAML-centric filing, expanded red-flag indicators across EFT/remittance, casinos, virtual assets, and PEPs.
  • 5 February 2025 — SI 17/2025 removes NGOs, churches, and charities from the accountable persons list.
  • 2025 — Anti-Terrorism Regulations 2025 compress UN targeted-financial-sanctions implementation: designations circulate to accountable persons for freezing within 24 hours via the FIA.
  • October 2025 / February 2026 — FIA Circulars No. 12 and No. 13 relay FATF high-risk-jurisdiction outcomes to all accountable persons under regulation 44; expect these through the goAML message board and act on them.
  • 18 February 2026 — FIA publishes Uganda's first national risk assessment on virtual assets and VASPs, signalling forthcoming VA legislation.
  • March 2026 — ESAAMLG's 16th follow-up report re-rates more Recommendations upward; Uganda stays in enhanced follow-up.

The pattern is clear: Uganda's regulator communicates through goAML, updates expectations frequently, and now holds administrative penalty powers that make non-compliance a board-level financial risk.

Deploying an AML Platform for Uganda

Country Profile Configuration, Not Custom Code

A multi-jurisdiction reporting platform should hold Uganda's specifics as configuration: the UGX 20 million (1,000 currency point) cash threshold with same-day aggregation, the two-working-day STR SLA, Uganda's goAML report-type set (STR/SAR, LCTR/ALCTR, IWTR, TFR), NIN and URSB identifier validation, beneficial-ownership data mapping, and the goaml.fia.go.ug submission target. When the FIA issues a new circular, guidance note, or schedule amendment — as it has done repeatedly since 2024 — the country profile is updated; your deployment doesn't change.

Multi-Country East African Operations

Banking groups operating across Uganda, Kenya, Tanzania, and Zambia face four different thresholds in three different currencies, three different STR clocks, and four FIU portal configurations. Running them on one platform with per-country profiles gives regional compliance leadership a single view of filing rates, rejection rates, and SLA performance — while each country team files against its own FIU's rules.

Creodata's goAML platform ships with a Uganda (FIA) country profile maintained by our compliance technology team, alongside profiles for Kenya (FRC), Tanzania (FIU), Zambia (FIC), and Rwanda.

Compliance Checklist for Ugandan Accountable Persons

1. goAML Registration: Your institution is registered on the FIA's goAML portal per the January 2024 guidelines, your user data has passed the FIA's verification exercises, and your MLRO contact details are current.

2. Large Cash Detection: Cash and monetary transactions of UGX 20 million and above (any currency, converted) are detected with same-day aggregation across branches and channels, recorded on Form A the same day, and filed to the FIA through goAML.

3. Structuring Rules: Monitoring covers the band just below UGX 20 million for structuring patterns — an offence in its own right under section 133.

4. Two-Working-Day STR Process: Your alert-to-filing workflow completes within two working days of suspicion being formed, with timestamps that prove it — including for attempted transactions and regardless of value.

5. Report-Type Mapping: Detection outputs map to Uganda's full goAML report-type set — STR/SAR, LCTR/ALCTR, IWTR, TFR — not just a generic STR bucket.

6. Identity Data: 14-character NINs for nationals, passports for foreigners, URSB numbers and beneficial ownership for entities — captured at onboarding, validated, and flowing into goAML XML without re-keying.

7. Typology Coverage: Rules calibrated to Uganda's risk profile: real estate, gold and cross-border smuggling, wildlife crime, casinos, mobile money corridors, virtual assets, and PEP/corruption indicators.

8. Sanctions Speed: UN TFS designations relayed by the FIA are screened and frozen within 24 hours per the 2025 Anti-Terrorism Regulations.

9. Circular Intake: FIA circulars and goAML message-board notices (high-risk jurisdictions, registration exercises) have a named owner, a documented action trail, and deadlines.

10. Audit Trail: Every report — cash or suspicious — has an immutable record of who detected, reviewed, approved, and submitted it, available for FIA inspection and your next ESAAMLG-driven supervisory review.

Deploy Uganda-Ready goAML Reporting with Creodata

Uganda rebuilt its AML regime well enough to exit the FATF grey list — and the FIA that emerged communicates through goAML, expects two-working-day STRs, and carries UGX 750 million administrative penalty powers it can apply without going to court. Manual reporting processes were not designed for that environment.

Creodata's goAML AML Reporting Platform includes a fully configured Uganda country profile: UGX 20 million threshold monitoring with same-day aggregation, structuring detection, two-working-day STR workflow with SLA tracking, Uganda's full report-type set, NIN and URSB validation with beneficial ownership support, and goAML XML generation validated before submission. One platform across Uganda, Kenya, Tanzania, and Zambia — one audit trail, every jurisdiction.

See the Uganda configuration in action — request your demo.