KYC, KYB & AML compliance checklist
Botswana KYC, KYB & AML
A practical implementation checklist for fintechs, payment providers, financial institutions, virtual asset businesses and other specified parties operating in Botswana.
- Reviewed
- 15 July 2026
- Version
- 1.0
- control areas
- 11
- implementation checks
- 66
Direct answer
What does the Botswana compliance checklist cover?
The Botswana checklist translates primary KYC, KYB and AML rules into 11 control areas and 66 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Financial intelligence unit
- Financial Intelligence Agency (FIA)
- CDD transaction threshold
- P10,000 or more for an occasional transaction; other statutory CDD triggers apply regardless of value
- Cash transaction reporting
- P10,000 or more; as soon as possible and no later than five working days after conclusion
- Suspicious transaction reporting
- As soon as possible and no later than five working days after suspicion arises
- Beneficial ownership threshold for CDD
- Natural persons holding more than 10% directly or indirectly, plus control-through-other-means and senior-managing-official fallbacks
- Record retention
- 20 years from the statutory transaction or relationship trigger; longer if required in writing by an investigatory authority
- UN targeted financial sanctions
- Identify and freeze without delay and no later than eight hours after receipt of the circulated UN list
- FATF public list
- Not under increased monitoring as at 15 July 2026
Implementation detail
Botswana compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Regulatory perimeter and governanceDetermine specified-party status, licensing and supervisory responsibility before offering a product or onboarding customers.6 items+
Map the Financial Intelligence Act perimeter
- Implementation action
- Classify each legal entity, product, customer type and delivery channel against Schedule I specified parties and Schedule III accountable institutions. Record the applicable Schedule II supervisory authority; where no supervisor is assigned, the FIA acts as supervisor.
- Evidence to retain
- Approved perimeter memo, legal-entity map, product inventory, Schedule mapping and legal sign-off
- Primary citation
- Financial Intelligence Act 2022, s.2 and Schedules I-III, as amended [01][04]
Identify the correct financial-sector regulator
- Implementation action
- Map banks and payment activities to the Bank of Botswana, non-bank financial institutions and virtual asset activities to NBFIRA, and other regulated professions to their statutory supervisor. Treat FIA reporting as separate from prudential or conduct reporting.
- Evidence to retain
- Regulatory responsibility matrix, licence register and reporting calendar
- Primary citation
- Financial Intelligence Act 2022, Schedule II; Bank of Botswana and NBFIRA mandates [01][10][13]
Maintain an institution-level risk assessment
- Implementation action
- Identify, assess and understand ML/TF/PF and other financial-offence risks arising from customers, countries, products, services, transactions and delivery channels. Keep the assessment current and use it to allocate controls and resources.
- Evidence to retain
- Board-approved methodology, enterprise risk assessment, risk register, action plan and review record
- Primary citation
- Financial Intelligence Act 2022, s.13 [01]
Implement a documented compliance programme
- Implementation action
- Adopt internal policies, controls and procedures for CDD, risk rating, monitoring, reporting, records, employee screening, training, independent audit and management responsibility. Review and update the programme regularly.
- Evidence to retain
- Policy suite, board approval, named control owners, staff screening, training plan and independent review
- Primary citation
- Financial Intelligence Act 2022, s.14; Financial Intelligence Regulations 2022, regs. 29-32 [01][02]
Apply group-wide controls
- Implementation action
- For a financial group, implement group-wide AML/CFT/CPF policies, information-sharing and protections across branches and majority-owned subsidiaries. Apply Botswana measures abroad where they are stricter and legally permitted; notify the supervisor and add controls where foreign law prevents application.
- Evidence to retain
- Group policy, entity coverage map, information-sharing protocol, foreign-law assessment and supervisor notices
- Primary citation
- Financial Intelligence Act 2022, s.15 [01]
Keep regulatory changes under active review
- Implementation action
- Track the 2025 amendment package, FIA notices, sector guidance and licence conditions. The 2025 amendment established the National Coordination Office, strengthened FIA independence and updated prominent-influential-person alignment; do not operate solely from the unamended 2022 PDF.
- Evidence to retain
- Legal register, change log, impact assessments and implementation approvals
- Primary citation
- Financial Intelligence (Amendment) Act 2025; Bank of Botswana Financial Stability Report May 2025 [04][05]
02Enterprise, customer and product riskUse the statutory risk-based approach to determine the extent of CDD, enhanced measures and monitoring.4 items+
Risk-rate every relationship
- Implementation action
- Assess customer and beneficial-owner profile, purpose, expected value and frequency, products, delivery channel, geography, ownership complexity, PEP exposure, sanctions and adverse information. Record the rationale for the rating and any override.
- Evidence to retain
- Customer risk score, input data, rationale, approver, override log and next-review date
- Primary citation
- Financial Intelligence Act 2022, ss.13 and 16(2)-(3) [01]
Assess new products and technologies before launch
- Implementation action
- Complete financial-crime, fraud, sanctions, operational and privacy risk assessments before launching a new product, business practice, delivery mechanism or material technology. Address non-face-to-face and anonymity risks with proportionate safeguards.
- Evidence to retain
- Product risk assessment, DPIA where required, control design, test plan and launch approval
- Primary citation
- Financial Intelligence Regulations 2022, reg. 11; Data Protection Act 2024, ss.52 and 65-68 [02][15]
Use simplified CDD only for demonstrated lower risk
- Implementation action
- Document the low-risk factors before reducing the extent, timing or frequency of measures. Do not use simplified CDD where suspicion exists, the customer or transaction is high risk, or enhanced due diligence is required.
- Evidence to retain
- Low-risk assessment, approved simplified-measures standard and exception testing
- Primary citation
- Financial Intelligence Act 2022, s.28; Financial Intelligence Regulations 2022, reg. 13 [01][02]
Escalate high-risk indicators
- Implementation action
- Treat unusual or excessively complex corporate structures, nominee or bearer-share features, cash-intensive businesses, non-face-to-face relationships without safeguards, third-party funding and products favouring anonymity as heightened-risk indicators.
- Evidence to retain
- Indicator library, alert rules, case records and EDD decisions
- Primary citation
- Financial Intelligence Regulations 2022, reg. 11 [02]
03KYC and customer due diligenceIdentify and verify the customer, representatives and beneficial owner before establishing the relationship or conducting a covered transaction.7 items+
Apply every statutory CDD trigger
- Implementation action
- Conduct CDD when establishing a business relationship; for an occasional or linked transaction of P10,000 or more; for domestic or international wire transfers; when prior identification data is doubtful; and whenever a financial offence is suspected.
- Evidence to retain
- CDD trigger matrix, linked-transaction logic, wire workflow and completed customer files
- Primary citation
- Financial Intelligence Act 2022, s.16; Financial Intelligence Regulations 2022, reg. 4 [01][02]
Verify natural persons using the applicable official document
- Implementation action
- Establish and independently verify identity. For Botswana citizens use the national identity card (Omang); for non-citizens use a passport; for recognised refugees use the refugee identity card. Capture the prescribed personal particulars and retain verification evidence.
- Evidence to retain
- Identity image or certified copy, document-authenticity result, identity data, verification source and operator audit trail
- Primary citation
- Financial Intelligence Act 2022, s.20(6) and (9); Financial Intelligence Regulations 2022, regs. 5-6 and 14-16 [01][02]
Identify representatives and verify authority
- Implementation action
- Identify and verify anyone acting for the customer, confirm the customer's identity, and verify the mandate, resolution, power of attorney or other authority connecting the representative to the customer.
- Evidence to retain
- Representative KYC, signed mandate, resolution or power of attorney and verification record
- Primary citation
- Financial Intelligence Act 2022, ss.20(1), 20(4) and 31; Financial Intelligence Regulations 2022, reg. 5 and Form A [01][02]
Understand purpose, intended nature and expected activity
- Implementation action
- Record the purpose and intended nature of the relationship or transaction, expected products, values, volumes, counterparties, geographies and source of funds. Use this baseline for ongoing monitoring.
- Evidence to retain
- Customer profile, expected-activity statement, source-of-funds information and risk assessment
- Primary citation
- Financial Intelligence Act 2022, ss.19(2) and 20(1)(c) [01]
Conduct ongoing CDD
- Implementation action
- Scrutinise transactions for consistency with the known customer, business and risk profile; periodically review accounts; keep customer and beneficial-owner information current; and refresh promptly after a material change, doubt or suspicion.
- Evidence to retain
- Review schedule, event triggers, monitoring results, refreshed documents and approval history
- Primary citation
- Financial Intelligence Act 2022, s.19 and s.31(3) [01]
Control remote onboarding
- Implementation action
- For non-face-to-face onboarding, use controls proportionate to impersonation and document fraud risk, such as document authenticity checks, face comparison, liveness, device intelligence and manual escalation. Technology controls support but do not replace the statutory duty to establish and verify identity from reliable sources.
- Evidence to retain
- Remote-onboarding standard, vendor assessment, model tests, exception queue and audit logs
- Primary citation
- Financial Intelligence Regulations 2022, regs. 11(1)(b), 14 and 15; Data Protection Act 2024 [02][15]
Stop safely when CDD cannot be completed
- Implementation action
- Do not open an account, start a relationship or perform a transaction where required identity information is unsatisfactory. Consider an STR. If continuing CDD would tip off a customer after suspicion forms, discontinue CDD and report instead.
- Evidence to retain
- Decline or exit record, failed-verification reason, escalation and STR decision
- Primary citation
- Financial Intelligence Act 2022, ss.20(10) and 30; Financial Intelligence Regulations 2022, reg. 5(2)-(3) [01][02]
04KYB, company registration and beneficial ownershipVerify legal existence, authority, ownership and control using CIPA and reliable independent evidence.7 items+
Verify the legal person and current status
- Implementation action
- Obtain and verify registered name and number, legal form, certificate of incorporation or registration, constitution, registered and operating addresses, nature of business, tax and VAT numbers where issued, trading licence where applicable, directors or manager and current CIPA status.
- Evidence to retain
- CIPA extract, certificate, constitution, address evidence, BURS tax evidence, trade licence and director register
- Primary citation
- Financial Intelligence Act 2022, s.20(6)(d); Financial Intelligence Regulations 2022, reg. 7; CIPA OBRS notice [01][02][08]
Identify natural-person beneficial owners
- Implementation action
- Trace every ownership layer and identify natural persons who directly or indirectly hold more than 10% of shares, voting rights or other ownership interests. Also identify natural persons exercising control through other means; where none is identified after reasonable measures, identify the senior managing official. Do not stop at a nominee, trust or corporate shareholder.
- Evidence to retain
- Ownership chart, shareholder registers, CIPA BO declaration, trust or nominee documents, control analysis and identity evidence
- Primary citation
- Financial Intelligence Act 2022, s.2 definition of beneficial owner and s.20(1)(b); Financial Intelligence Regulations 2022, regs. 5(7), 7(1)(h)(iii) and 8(e) [01][02]
Confirm CIPA beneficial-ownership declarations
- Implementation action
- Require evidence that new and existing companies have declared every natural person having ultimate ownership or control through CIPA's Online Business Registration System, including the nature of each interest. Resolve discrepancies before onboarding and refresh after change.
- Evidence to retain
- CIPA BO filing or public-search evidence, declaration date, discrepancy log and remediation
- Primary citation
- Companies Act, as amended; Companies (Amendment) Act 2025; CIPA OBRS upgrade notice [08][09]
Identify nominee and alternate arrangements
- Implementation action
- Establish whether nominee or alternate directors or shareholders are used, identify the nominator and ultimate natural person, understand the purpose of the arrangement and verify that the arrangement is declared to CIPA.
- Evidence to retain
- Nominee declaration, agreement, nominator KYC, CIPA filing and risk assessment
- Primary citation
- Companies Act, as amended; CIPA OBRS upgrade notice [08][09]
Verify corporate authority
- Implementation action
- Obtain the board resolution authorising the relationship and signatories, powers of attorney and mandates. Verify directors, the manager, authorised persons and relevant senior management.
- Evidence to retain
- Board resolution, mandate matrix, powers of attorney, officer KYC and specimen signatures
- Primary citation
- Financial Intelligence Regulations 2022, reg. 7(1)(h)-(j) [02]
Apply trust and partnership KYB
- Implementation action
- For trusts identify and verify the settlor, trustees, protector if any, beneficiaries or class, and any natural person with ultimate effective control. For partnerships identify the partnership and every partner, including silent partners, plus authorised persons.
- Evidence to retain
- Trust deed or partnership instrument, registry evidence, role map, authority records and natural-person KYC
- Primary citation
- Financial Intelligence Act 2022, s.2 beneficial-owner definition; Financial Intelligence Regulations 2022, regs. 9-10 [01][02]
Understand the business and source of funds
- Implementation action
- Corroborate operating activity, licences, customers, suppliers, expected transactions and source of funds. For elevated risk, establish source of wealth and obtain financial, contractual or tax evidence proportionate to risk.
- Evidence to retain
- Business profile, licence checks, bank statements, financial statements, contracts, invoices and source evidence
- Primary citation
- Financial Intelligence Act 2022, ss.16, 19, 21 and 22 [01]
05PEPs and enhanced due diligenceBotswana uses the statutory term prominent influential person. Apply the current definition as amended in 2025 and enhanced controls to customers and beneficial owners who fall within it.4 items+
Identify prominent influential persons
- Implementation action
- Use risk-management systems to determine whether a customer or beneficial owner is a domestic, foreign or international-organisation prominent influential person, including relevant immediate family members and close associates under the current statutory definition.
- Evidence to retain
- Screening result, public-function record, relationship map, match analysis and review date
- Primary citation
- Financial Intelligence Act 2022, ss.2 and 22, as amended by Act No. 1 of 2025 [01][04][05]
Apply mandatory PEP controls
- Implementation action
- Before establishing the relationship obtain senior-management approval, take reasonable measures to establish source of wealth and source of funds, and apply enhanced ongoing monitoring. Apply the same controls when a customer or beneficial owner becomes a PEP during the relationship.
- Evidence to retain
- Senior approval, source-of-wealth file, source-of-funds file and enhanced monitoring plan
- Primary citation
- Financial Intelligence Act 2022, s.22 [01]
Apply EDD to all prescribed higher-risk cases
- Implementation action
- Apply EDD to high-risk customers, businesses and jurisdictions; complex or unusually large transactions; unusual patterns; transactions without apparent economic or legal purpose; relevant insurance beneficiaries; correspondent banking; and countries subject to FATF or FIA heightened measures.
- Evidence to retain
- EDD checklist, additional documents, rationale, approvals and monitoring controls
- Primary citation
- Financial Intelligence Act 2022, s.21 [01]
Examine unusual transactions
- Implementation action
- Examine and document the background and purpose of complex, unusual, high-risk or apparently purposeless transactions. Increase the degree and nature of monitoring and preserve written findings for regulator access.
- Evidence to retain
- Investigation file, customer explanation, corroborating evidence, written conclusion and escalation decision
- Primary citation
- Financial Intelligence Act 2022, s.29; Financial Intelligence Regulations 2022, reg. 11(2) [01][02]
06Sanctions and targeted financial sanctionsScreen against current UN and national designations and execute Botswana's targeted financial sanctions process within the statutory clocks.5 items+
Maintain authoritative sanctions inputs
- Implementation action
- Maintain current UN Security Council and Botswana national-list inputs and an auditable process for receiving lists and amendments circulated by the competent authorities. Screen customers, beneficial owners, controllers, authorised persons, counterparties and relevant transactions.
- Evidence to retain
- List inventory, subscription and receipt logs, screening scope, timestamps and quality checks
- Primary citation
- Financial Intelligence (Implementation of UNSCR) Regulations 2022, regs. 6, 10 and 24-25 [03]
Freeze UN-designated property within eight hours
- Implementation action
- On receipt of a circulated UN list, identify and freeze without prior notice and without delay, and in no case later than eight hours, all directly or indirectly owned or controlled property and economic resources, including jointly controlled property and property of persons acting on behalf or at the direction of the designee.
- Evidence to retain
- List receipt time, screening completion, match decision, freeze timestamp, asset inventory and control-link analysis
- Primary citation
- Financial Intelligence (Implementation of UNSCR) Regulations 2022, reg. 11 [03]
Execute national-list freezing orders without delay
- Implementation action
- On receipt of a national freezing order, freeze the listed person's property or economic resources without prior notification and prevent dealing or making property available except under lawful authorisation.
- Evidence to retain
- Order receipt, legal validation, freeze record, blocked transaction and customer-communication control
- Primary citation
- Financial Intelligence (Implementation of UNSCR) Regulations 2022, regs. 6 and 20-21 [03]
File positive and nil returns
- Implementation action
- Without delay report actions taken and full particulars of identified and frozen property, including attempted transactions. Where the required database search identifies no property, submit the prescribed written nil return.
- Evidence to retain
- Positive or nil return, submission timestamp, asset details and acknowledgement
- Primary citation
- Financial Intelligence (Implementation of UNSCR) Regulations 2022, regs. 6(7)-(9) and 11 [03]
Control unfreezing and false positives
- Implementation action
- Unfreeze only under a valid delisting notice, court process or other competent legal authority. Apply the statutory eight-hour unfreezing clock after receipt of a circulated delisting notice and preserve the basis for false-positive resolution.
- Evidence to retain
- Delisting notice, authority check, unfreeze timestamp, return report and false-positive file
- Primary citation
- Financial Intelligence (Implementation of UNSCR) Regulations 2022, regs. 13 and 15-17 [03]
07Transaction monitoring and regulatory reportingMonitor continuously, escalate suspicion promptly and submit the prescribed reports through FIA channels without tipping off.8 items+
Monitor transactions and relationships continuously
- Implementation action
- Use risk-calibrated rules and investigations to compare transactions with the customer's known business, expected activity, source of funds and risk profile. Cover cash, wires, rapid movement, third-party funding, structuring, unusual complexity and high-risk geographies.
- Evidence to retain
- Scenario inventory, thresholds, tuning and validation, alert cases, dispositions and management reporting
- Primary citation
- Financial Intelligence Act 2022, ss.19 and 29; Financial Intelligence Regulations 2022, reg. 29 [01][02]
File STRs within five working days
- Implementation action
- Report a suspicious transaction to the FIA as soon as possible and no later than five working days after suspicion arose. Apply the duty during establishment, throughout the relationship and to occasional, attempted or proposed transactions. Seek written FIA approval if reporting after the prescribed period.
- Evidence to retain
- Suspicion timestamp, internal escalation, decision record, STR, FIA receipt and any extension approval
- Primary citation
- Financial Intelligence Act 2022, ss.2 and 38; Financial Intelligence Regulations 2022, reg. 22(1) [01][02]
Submit reports through the FIA portal
- Implementation action
- Use the FIA internet-based reporting portal and current goAML process. If technically unable to report electronically, complete the prescribed form and use a fallback method authorised by the Regulations or FIA, retaining evidence of why the fallback was necessary.
- Evidence to retain
- goAML registration, portal receipt, submitted form, fallback approval or delivery evidence and access-control log
- Primary citation
- Financial Intelligence Regulations 2022, regs. 20-21; FIA goAML STR web guide [02][06]
Prevent tipping off
- Implementation action
- Do not disclose an STR, contemplated report or investigation to the customer or another unauthorised person. Restrict case access, communications and data-subject responses where disclosure would prejudice an investigation.
- Evidence to retain
- Role-based access, confidentiality acknowledgements, scripts, training and disclosure-review log
- Primary citation
- Financial Intelligence Act 2022, ss.2 and 46; NBFIRA data-protection/AML guidance 2026 [01][16]
Report cash transactions of P10,000 or more
- Implementation action
- Report a cash transaction concluded with a customer where the amount is P10,000 or more, or the foreign-currency equivalent. Submit as soon as possible and no later than five working days after conclusion through the FIA portal or permitted fallback. Do not treat the threshold report as a substitute for an STR.
- Evidence to retain
- Cash aggregation logic, cash report, transaction date, submission receipt and linked STR assessment
- Primary citation
- Financial Intelligence Act 2022, ss.39-40; Financial Intelligence Regulations 2022, regs. 20 and 22(2) [01][02]
Report covered cross-border wires
- Implementation action
- A financial institution sending out of or receiving into Botswana a wire transfer of P10,000 or more on behalf or on instruction of a customer or other person must submit the prescribed report. Keep complete originator and beneficiary information with the transfer and apply repair, reject or suspend controls where information is missing.
- Evidence to retain
- Wire report, message fields, verification results, repair or reject queue and FIA receipt
- Primary citation
- Financial Intelligence Act 2022, s.42; Financial Intelligence Regulations 2022, regs. 25-28 [01][02]
Escalate urgent transactions before execution
- Implementation action
- Where executing a reported transaction could jeopardise an investigation or put proceeds beyond Botswana authorities, contact the FIA Director General or authorised officers as soon as reasonably possible for consultation and intervention. Preserve the legal basis for proceeding, delaying or stopping.
- Evidence to retain
- Urgent escalation log, FIA contact, instruction, transaction status and legal approval
- Primary citation
- Financial Intelligence Act 2022, ss.44-45; Financial Intelligence Regulations 2022, reg. 23 [01][02]
Respond securely to FIA and supervisor requests
- Implementation action
- Maintain search, legal-review and secure-production procedures so records can be made available swiftly to FIA, the supervisor and competent authorities under lawful authority.
- Evidence to retain
- Request register, search record, production package, approvals and delivery receipt
- Primary citation
- Financial Intelligence Act 2022, ss.31(3), 36-37 and 49 [01]
08Records, assurance and trainingBotswana's 20-year AML retention rule is substantially longer than common international defaults and must be designed explicitly into systems.5 items+
Retain transaction records for 20 years
- Implementation action
- Keep domestic and international transaction records for 20 years from the date each transaction is concluded. Preserve enough information to reconstruct the transaction, including amount, currency, accounts and parties.
- Evidence to retain
- Retention schedule, transaction archive, immutable timestamps, reconstruction test and legal-hold controls
- Primary citation
- Financial Intelligence Act 2022, ss.31-32(1)(a) [01]
Retain CDD and relationship records for 20 years
- Implementation action
- After termination of a business relationship or an occasional transaction, retain CDD records, account files, business correspondence and analysis results for 20 years. Keep STR and related reporting records for at least the corresponding prescribed period and protect confidentiality.
- Evidence to retain
- Closure-date field, CDD archive, correspondence, analysis file, STR archive and deletion controls
- Primary citation
- Financial Intelligence Act 2022, s.32(1)(b); Financial Intelligence Regulations 2022, reg. 18 [01][02]
Apply longer investigatory holds
- Implementation action
- Extend retention where an investigatory authority requires a longer period in writing. Suspend deletion immediately when a legal hold, examination, investigation or litigation applies.
- Evidence to retain
- Written request, legal-hold register, affected-record inventory and release approval
- Primary citation
- Financial Intelligence Act 2022, s.32(2) [01]
Control outsourced record keeping
- Implementation action
- Where a third party keeps records, notify the supervisor with prescribed particulars, maintain sufficient access without delay and recognise that the specified party remains liable for failure.
- Evidence to retain
- Supervisor notice, processor details, contract, access test, retrieval SLA and oversight reviews
- Primary citation
- Financial Intelligence Act 2022, s.33; Financial Intelligence Regulations 2022, reg. 19 [01][02]
Train staff and test controls
- Implementation action
- Train directors, employees, agents and relevant contractors on Botswana-specific CDD, cash and wire thresholds, five-working-day reporting, TFS clocks, privacy and tipping-off. Conduct independent testing proportionate to risk and remediate findings.
- Evidence to retain
- Role-based curriculum, attendance, assessments, audit plan, findings, owners and closure evidence
- Primary citation
- Financial Intelligence Act 2022, s.14; Financial Intelligence Regulations 2022, reg. 29 [01][02]
09Payment services, banking, fintech and virtual assetsLicensing depends on the activity performed, not the technology or marketing label used.7 items+
Classify payment activities before launch
- Implementation action
- Map account issuance, e-money, remittance, merchant acquiring or payment gateways, payment initiation, account information and related services against the current Bank of Botswana perimeter. Obtain written regulatory analysis before relying on an exclusion.
- Evidence to retain
- Activity and funds-flow map, perimeter memo, Bank correspondence and product approval
- Primary citation
- Bank of Botswana Fintech Analytical Assessment Framework 2025; Electronic Payment Services Regulations 2019, as amended [10][11][12]
Obtain an electronic payment service licence
- Implementation action
- Do not operate an electronic payment service without a Bank of Botswana licence unless a clear statutory exclusion applies. Submit the prescribed application, ownership and controller information, business plan, governance, risk, safeguarding and technology materials required for the service.
- Evidence to retain
- Application pack, significant-shareholder and officer files, business plan, licence and approved service scope
- Primary citation
- Electronic Payment Services Regulations 2019, regs. 3-4, as amended through 2026; Bank of Botswana legislation page [10][11]
Obtain banking authorisation where applicable
- Implementation action
- A deposit-taking or banking model must be assessed under the Banking Act 2023 and Banking Regulations 2025. Do not use an EPS licence to conduct banking business outside its scope.
- Evidence to retain
- Banking-perimeter analysis, application, licence, approved activities and conditions register
- Primary citation
- Banking Act 2023, s.8; Banking Regulations 2025; Bank of Botswana licensing requirements [11][12]
Address payment-system recognition and oversight
- Implementation action
- Where the model operates or participates in a clearing, settlement or payment system, assess recognition or licensing under the National Clearance and Settlement Systems framework and current Bank oversight policy.
- Evidence to retain
- System map, recognition analysis, application, approval and oversight reporting calendar
- Primary citation
- National Clearance and Settlement Systems Act Cap. 46:06 and Regulations 2005; Bank of Botswana oversight page [11][12]
Apply AML controls to agents and remittance networks
- Implementation action
- For money or value transfer services, use only licensed or registered agents, maintain a current agent list accessible to competent authorities, include agents in the compliance programme and monitor their compliance.
- Evidence to retain
- Agent due diligence, licence checks, agent register, contract, training, monitoring and termination records
- Primary citation
- Financial Intelligence Act 2022, s.18 [01]
Obtain a NBFIRA virtual-asset licence
- Implementation action
- Do not provide regulated virtual-asset services or issue an initial token offering without the required NBFIRA authorisation. Apply the Virtual Assets Act 2025, Financial Intelligence Act obligations, Travel Rule controls, fit-and-proper requirements and current NBFIRA guidance.
- Evidence to retain
- Activity classification, NBFIRA application, controller and beneficial-owner files, AML programme, licence and Travel Rule controls
- Primary citation
- Virtual Assets Act 2025; NBFIRA AML guidance and 2025 National Risk Assessment [13][14]
Maintain operational resilience and customer-fund controls
- Implementation action
- Implement governance, safeguarding, reconciliation, cyber security, outsourcing, business continuity, incident response, complaints and regulatory reporting required by the relevant Bank or NBFIRA licence.
- Evidence to retain
- Safeguarding account, daily reconciliation, resilience tests, vendor register, incidents, complaints and regulatory receipts
- Primary citation
- Electronic Payment Services Regulations 2019 and current Bank guidance; applicable NBFIRA licence conditions [10][11][13]
10Data protection and digital identity operationsThe Data Protection Act 2024 applies alongside AML duties. The Financial Intelligence Act prevails where there is a conflict concerning financial-offence controls, but this does not displace ordinary privacy compliance.7 items+
Document a lawful basis for KYC and AML data
- Implementation action
- Map each processing purpose and legal basis. Compliance with Financial Intelligence Act duties forms a legal-obligation basis for collecting, verifying, monitoring, reporting and retaining relevant data; do not default to consent where processing is legally required.
- Evidence to retain
- Processing inventory, lawful-basis register, privacy notice, purpose map and legal analysis
- Primary citation
- Data Protection Act 2024, ss.19-26; Financial Intelligence Act 2022, s.3; NBFIRA guidance 2026 [01][15][16]
Apply privacy principles and security
- Implementation action
- Process personal data lawfully, fairly and transparently; limit purpose and collection; maintain accuracy; apply storage controls; and implement appropriate technical and organisational security. Restrict access to sensitive identity, biometric, sanctions and STR data.
- Evidence to retain
- Privacy notices, data inventory, access matrix, encryption, retention rules, security tests and audit logs
- Primary citation
- Data Protection Act 2024, ss.19-25 and 62 [15]
Appoint a data protection officer where required
- Implementation action
- Designate a qualified DPO where core activities involve large-scale regular and systematic monitoring, large-scale sensitive-data processing, criminal-offence data or another statutory trigger. Ensure independence, senior reporting and notification of contact details to the Commission.
- Evidence to retain
- Applicability assessment, appointment, role description, independence safeguards and Commission notification
- Primary citation
- Data Protection Act 2024, ss.69-72; NBFIRA guidance 2026 [15][16]
Complete DPIAs for high-risk processing
- Implementation action
- Before high-risk processing, complete a DPIA, including for large-scale sensitive or criminal-offence data and qualifying automated profiling. Consult the Commission before processing where residual high risk remains without adequate mitigation.
- Evidence to retain
- DPIA, necessity and proportionality assessment, safeguards, DPO advice, residual-risk approval and consultation record
- Primary citation
- Data Protection Act 2024, ss.65-68 [15]
Notify qualifying personal-data breaches within 72 hours
- Implementation action
- Notify the Information and Data Protection Commission without undue delay and, where feasible, within 72 hours after awareness unless the breach is unlikely to risk data-subject rights and freedoms. Give reasons for delay; processors must notify controllers without undue delay. Communicate to affected people where the Act requires.
- Evidence to retain
- Incident timeline, risk assessment, Commission notice, delay reasons, processor notice, data-subject communication and remediation
- Primary citation
- Data Protection Act 2024, ss.63-64 [15]
Control cross-border transfers
- Implementation action
- Before transferring or hosting personal data outside Botswana, document a Commission adequacy decision or appropriate safeguards and enforceable rights under the Act. Use binding instruments, approved clauses, binding corporate rules or other lawful mechanisms as applicable; obtain specific authorisation where required.
- Evidence to retain
- Transfer inventory, destination assessment, approved safeguard, processor contract, authorisation and security review
- Primary citation
- Data Protection Act 2024, ss.74-78 [15]
Reconcile erasure rights with AML retention and secrecy
- Implementation action
- Do not erase records during the mandatory Financial Intelligence Act retention period where retention is a legal obligation. Restrict access or information where necessary to avoid tipping off or prejudicing an investigation, document the legal basis, and securely delete after all legal holds and retention periods expire.
- Evidence to retain
- Rights-request log, restriction rationale, legal hold, retention calculation and deletion certificate
- Primary citation
- Financial Intelligence Act 2022, ss.3, 32 and 46; Data Protection Act 2024, ss.44 and 50; NBFIRA guidance 2026 [01][15][16]
11Practical onboarding and audit evidence packUse this evidence pack as a minimum operational starting point, then add sector- and risk-specific documents.6 items+
Natural-person KYC evidence pack
- Implementation action
- Collect verified identity, prescribed personal particulars, contact and address information, purpose and intended nature, expected activity, source of funds, customer risk rating, PEP and sanctions results, representative authority where applicable, and review or exception approvals.
- Evidence to retain
- Omang, passport or refugee ID as applicable; verification result; customer profile; source evidence; screening; risk score; consent or notice records where relevant; audit trail
- Primary citation
- Financial Intelligence Act 2022, ss.16, 19-22 and 31; Financial Intelligence Regulations 2022, regs. 4-6 and 14-17 [01][02]
Corporate KYB evidence pack
- Implementation action
- Collect current CIPA and constitutional records, registered and operating addresses, tax and trade records, directors and manager, board authority, authorised signatories, full ownership and control chain, natural-person beneficial owners, nominee arrangements, business purpose, expected activity, licences, source of funds and risk screening.
- Evidence to retain
- Certificate; CIPA extract; constitution; BURS evidence; trade or sector licence; registers; resolution; ownership chart; BO and nominee declarations; UBO KYC; financial and operating evidence; screening; risk approval
- Primary citation
- Financial Intelligence Act 2022, ss.2, 16, 20-22 and 31; Financial Intelligence Regulations 2022, reg. 7; CIPA notice [01][02][08]
Trust or partnership evidence pack
- Implementation action
- Collect the constituting instrument, registry and address evidence, purpose and activities, persons authorised to act, every prescribed trust party or partner, ultimate controllers, beneficiaries or class, source of funds, screening and risk approval.
- Evidence to retain
- Trust deed or partnership agreement; registration; role map; authority; settlor, trustee, protector, beneficiary, partner and controller KYC; source evidence; screening; risk record
- Primary citation
- Financial Intelligence Act 2022, s.2; Financial Intelligence Regulations 2022, regs. 9-10 [01][02]
High-risk and PEP evidence pack
- Implementation action
- Add senior-management approval, source of wealth and funds, corroborating documents, adverse-information review, detailed purpose, enhanced monitoring scenarios and shorter review frequency.
- Evidence to retain
- Approval, wealth narrative, bank and asset evidence, tax or financial records, investigation notes, monitoring plan and review calendar
- Primary citation
- Financial Intelligence Act 2022, ss.21-22 [01]
Transaction and reporting evidence pack
- Implementation action
- Preserve alerts, investigation steps, customer explanations, transaction reconstruction, internal escalation, report decision, STR or threshold report, submission timestamp, FIA receipt, confidentiality controls and follow-up requests.
- Evidence to retain
- Case file, transaction data, chronology, decision, goAML receipt, cash or wire report, access log and FIA correspondence
- Primary citation
- Financial Intelligence Act 2022, ss.31-46; Financial Intelligence Regulations 2022, regs. 18 and 20-28 [01][02]
Govern exceptions and auditability
- Implementation action
- Record who performed each check, the source and time, discrepancies, overrides, approvals, refresh dates and final decision. Make the full case reconstructable without relying on undocumented analyst knowledge.
- Evidence to retain
- Immutable case chronology, source references, reviewer and approver IDs, discrepancy resolution, override rationale and exportable audit report
- Primary citation
- Financial Intelligence Act 2022, ss.14, 31-36; Financial Intelligence Regulations 2022, regs. 18 and 29-32 [01][02]

11 control areas and 66 implementation checks, with direct regulatory sources.
Download the Botswana KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Botswana implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.0, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
18 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- 01Botswana Ministry of Finance, Financial Intelligence Agency · Financial Intelligence Act 2022, Act No. 2 of 2022
- 02Botswana Ministry of Finance, Financial Intelligence Agency · Financial Intelligence Regulations 2022, S.I. No. 14 of 2022
- 03Botswana Ministry of Finance, Financial Intelligence Agency · Financial Intelligence (Implementation of United Nations Security Council Resolutions) Regulations 2022, S.I. No. 13 of 2022
- 04Botswana e-Laws · Financial Intelligence (Amendment) Act 2025, Act No. 1 of 2025
- 05Bank of Botswana and Financial Stability Council · Financial Stability Report May 2025 confirming commencement and principal effects of the Financial Intelligence (Amendment) Act 2025
- 06Botswana Ministry of Finance, Financial Intelligence Agency · goAML suspicious transaction reporting web guide
- 07Botswana Ministry of Finance, Financial Intelligence Agency · Current FIA legislation, reporting guidance and publication hub
- 08Companies and Intellectual Property Authority Botswana · Official OBRS notice on mandatory constitutions, beneficial-owner declarations and nominee arrangements
- 09Botswana e-Laws · Companies (Amendment) Act 2025, Act No. 3 of 2025
- 10Bank of Botswana · Electronic Payment Services Regulations 2019
- 11Bank of Botswana · Current payment legislation and regulations hub, including the Electronic Payment Services (Amendment) Regulations 2026
- 12Bank of Botswana · Fintech Analytical Assessment Framework, 15 October 2025
- 13Non-Bank Financial Institutions Regulatory Authority Botswana · Current NBFIRA virtual-asset licensing and supervision guidance
- 14Botswana National Coordination Office and NBFIRA · Botswana Money Laundering and Terrorist Financing National Risk Assessment Report 2025, issued 2026
- 15Republic of Botswana Government Gazette · Data Protection Act 2024, Act No. 18 of 2024
- 16Non-Bank Financial Institutions Regulatory Authority Botswana · Guidance on reconciling Data Protection and AML/CFT obligations for NBFIs, June 2026
- 17Financial Action Task Force · Botswana removed from increased monitoring, October 2021
- 18Financial Action Task Force · Current FATF black and grey lists available as at 15 July 2026
Direct answers
Botswana KYC, KYB and AML questions
Who receives suspicious transaction reports in Botswana?+
The Financial Intelligence Agency is Botswana's central financial intelligence unit. Reports are submitted through its internet-based reporting portal and current goAML process, subject to the permitted fallback methods in the Regulations.
How quickly must a suspicious transaction be reported?+
As soon as possible and no later than five working days after the suspicion arose, unless the FIA approves later reporting in writing. Urgent cases that risk frustrating an investigation or moving proceeds beyond reach should also be escalated to the FIA as soon as reasonably possible.
Does Botswana require cash transaction reports?+
Yes. A cash transaction of P10,000 or more, or the foreign-currency equivalent, is reportable as soon as possible and no later than five working days after it is concluded. Suspicion must still be reported separately regardless of amount.
What is Botswana's beneficial-ownership threshold for customer due diligence?+
The 2022 Regulations require identification of a natural person who directly or indirectly holds more than 10% of shares, voting rights or other ownership interest. Ownership percentage is not the only test: control through other means and, if no natural person is identified after reasonable measures, the senior-managing-official fallback must also be considered.
Must Botswana companies declare beneficial owners to CIPA?+
Yes. CIPA states that all new and existing companies must declare natural persons with ultimate ownership or control, the nature of their interest, and nominee or alternate director and shareholder arrangements through the Online Business Registration System.
How long must AML records be kept?+
The Financial Intelligence Act requires 20 years: transaction records run from the transaction date, while CDD, account, correspondence and analysis records run after termination of the business relationship or occasional transaction. An investigatory authority may require longer retention in writing.
How quickly must UN sanctions matches be frozen?+
After receipt of a circulated UN Security Council list, covered persons must identify and freeze relevant property without delay, without prior notice and no later than eight hours, then report the action and property particulars without delay.
Is Botswana on the FATF grey list?+
No. FATF removed Botswana from increased monitoring in October 2021, and Botswana does not appear on FATF's current public lists available as at 15 July 2026. Firms must still monitor current FATF and FIA country-risk notices.
Do fintechs need a licence in Botswana?+
Licensing depends on activity. Electronic payment services generally require Bank of Botswana licensing; banking and deposit-taking require the relevant banking authorisation; payment-system operation may require recognition; and regulated virtual-asset services require NBFIRA authorisation under the 2025 regime.
How does Botswana data protection interact with AML record keeping?+
Financial Intelligence Act duties form a legal basis for necessary AML processing and 20-year retention. The Data Protection Act still requires transparency, minimisation, security, rights handling, DPIAs where triggered, breach notification and lawful transfer controls. The FI Act prevails only where a conflict concerns combating financial offences.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.0
Operational guidance, not legal advice. Requirements vary by activity, licence and supervisory authority. Confirm the current consolidated legislation, FIA instructions, sector rules and licence conditions before implementation.