KYC, KYB & AML compliance checklist
Kenya KYC, KYB & AML
A practical implementation checklist for reporting institutions working under Kenya's anti-money laundering, counter-terrorist financing and counter-proliferation financing framework.
- Reviewed
- 14 July 2026
- Version
- 1.0
- control areas
- 7
- implementation checks
- 45
Direct answer
What does the Kenya compliance checklist cover?
The Kenya checklist translates primary KYC, KYB and AML rules into 7 control areas and 45 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Primary FIU / AML supervisor
- Financial Reporting Centre
- Core rules
- POCAMLA and 2023 Regulations
- Record retention
- Minimum 7 years
- Suspicion reporting
- Within 2 days after suspicion arises
Implementation detail
Kenya compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Applicability and governanceEstablish whether the organization is a reporting institution and make accountability visible.7 items+
Confirm reporting-institution status
- Implementation action
- Determine whether the business is a financial institution, designated non-financial business or profession, or virtual asset service provider under section 2 of POCAMLA. Apply activity-specific limits in section 48 where relevant and identify the FRC and any First Schedule sector supervisor.
- Evidence to retain
- Documented applicability and sector-overlay assessment
- Primary citation
- POCAMLA, ss.2 and 48; First Schedule
Confirm the competent supervisor
- Implementation action
- Identify the sector supervisor or self-regulatory body and the FRC obligations that apply to the institution.
- Evidence to retain
- Regulatory obligations register
- Primary citation
- FRC compliance guidance
Register with the FRC
- Implementation action
- Complete FRC registration, keep particulars current and notify changes to registration information within 90 days.
- Evidence to retain
- Registration confirmation, change log and profile owner
- Primary citation
- POCAMLR 2023; FRC compliance guidance
Appoint accountable AML leadership
- Implementation action
- Appoint an MLRO at management level with the necessary competence, authority and independence. Notify both the FRC and the supervisory body of appointment or removal within 14 days. An internal auditor or chief executive may not serve as MLRO, except that a chief executive may do so for a sole proprietorship.
- Evidence to retain
- Appointment, role description and dual notifications
- Primary citation
- POCAMLR 2023, reg. 12
Plan VASP transition where applicable
- Implementation action
- Existing virtual asset service providers should map the VASP Act 2025 licensing transition through 4 November 2026 and distinguish enacted requirements from draft 2026 regulations.
- Evidence to retain
- VASP transition plan and legal-status register
- Primary citation
- Virtual Asset Service Providers Act 2025
Approve a risk-based AML/CFT/CPF program
- Implementation action
- Maintain policies, customer-risk methodology, controls, training, testing and governance proportionate to the institution's risks.
- Evidence to retain
- Board-approved program and risk assessment
- Primary citation
- POCAMLA and POCAMLR 2023
Conduct the mandatory institution-wide risk assessment
- Implementation action
- Assess ML, TF and PF risks across customers, countries and geographies, products, services, transactions and delivery channels. Keep it current, update the program at least every two years, obtain board approval for controls and assess risk before new products, practices, delivery mechanisms or technologies.
- Evidence to retain
- Current institutional assessment, board approval and new-product reviews
- Primary citation
- POCAMLR 2023, regs. 7-8
02KYC for natural personsIdentify the customer, verify identity from reliable independent sources and understand why the relationship exists.6 items+
Collect core identity particulars
- Implementation action
- Capture full legal name, date and place of birth, nationality, contact details, residential address, occupation and identity-document details appropriate to the customer.
- Evidence to retain
- Completed customer profile
- Primary citation
- POCAMLA, s.45; POCAMLR 2023, regs. 14-15
Verify identity independently
- Implementation action
- Verify the customer using reliable, independent source documents, data or information such as a valid national identity card or passport.
- Evidence to retain
- Verified document copy and verification result
- Primary citation
- POCAMLA, s.45; POCAMLR 2023, regs. 14-15
Verify authority to act
- Implementation action
- When another person acts for the customer, identify and verify that person and confirm their authority.
- Evidence to retain
- Authority instrument and agent KYC
- Primary citation
- POCAMLA, s.45(3); POCAMLR 2023, reg. 23
Understand purpose and intended nature
- Implementation action
- Record the expected use, products, transaction profile, counterparties and reason for the relationship.
- Evidence to retain
- Purpose and expected-activity statement
- Primary citation
- POCAMLR 2023, reg. 14(2)(c)
Establish financial profile
- Implementation action
- Collect information proportionate to risk on occupation, income, source of funds and, where needed, source of wealth.
- Evidence to retain
- Financial profile and supporting evidence
- Primary citation
- POCAMLR 2023, regs. 14 and 26
Resolve failed verification
- Implementation action
- If required CDD cannot be completed, do not open the account, establish the relationship or execute the transaction; terminate an existing relationship where applicable; and file an STR. If completing CDD would tip off the customer, stop CDD and file an STR.
- Evidence to retain
- Decline or exit decision and STR record
- Primary citation
- POCAMLR 2023, reg. 25
03KYB for legal persons and arrangementsVerify the entity, understand its ownership and control, and identify the natural persons behind it.7 items+
Verify legal existence
- Implementation action
- Obtain the registered name, incorporation or registration evidence, legal form, registration number and governing documents.
- Evidence to retain
- Registry extract and certified incorporation documents
- Primary citation
- POCAMLR 2023, reg. 16(1)(a)-(b)
Verify addresses and activity
- Implementation action
- Confirm the registered office, principal place of business, business activity and operating footprint.
- Evidence to retain
- Address evidence and business profile
- Primary citation
- POCAMLR 2023, reg. 16(1)(c)
Verify authority and signatories
- Implementation action
- Obtain the board resolution or equivalent authority and identify and verify authorized signatories.
- Evidence to retain
- Resolution, mandate and signatory KYC
- Primary citation
- POCAMLA, s.45(3); POCAMLR 2023, regs. 16(1)(d) and 23
Identify managers, controllers and owners
- Implementation action
- Collect the identity particulars of natural persons managing, controlling or owning the entity.
- Evidence to retain
- Directors and ownership register
- Primary citation
- POCAMLR 2023, reg. 16(1)(e)
Identify and verify beneficial owners
- Implementation action
- Obtain and validate company BO information, including relevant CR12 or BOF1 evidence. Do not treat registry evidence or a 10% threshold as conclusive for AML: identify controlling ownership, control by other means, or only after reasonable measures the senior managing official.
- Evidence to retain
- Ownership chart, BO declaration, registry evidence and verified BO KYC
- Primary citation
- POCAMLR 2023, regs. 14(2)(b), 16(2) and 22
Obtain financial information
- Implementation action
- Collect audited financial statements for the last full year for corporate bodies, subject to the regulation's treatment of newly formed entities; apply the relevant rule for sole traders.
- Evidence to retain
- Financial statements or documented exception
- Primary citation
- POCAMLR 2023, reg. 16(1)(f)-(g)
Recommended: screen connected persons
- Implementation action
- As an implementation control, screen the entity, beneficial owners, directors, controllers and authorized signatories in line with the institution's documented risk-based program and any sector rule.
- Evidence to retain
- Screening results and disposition log
- Primary citation
- Recommended risk-based control; confirm sector rule
04Risk assessment and screeningUse documented risk factors to determine the level of due diligence and monitoring.6 items+
Recommended: document customer risk rating
- Implementation action
- Assess customer, geography, product, service, delivery channel, transaction and ownership risks and retain the methodology, rationale and approval required by the institution's program or sector rule.
- Evidence to retain
- Risk score, rationale and approver
- Primary citation
- Risk-based obligations; confirm sector methodology
Apply targeted financial sanctions
- Implementation action
- Screen customers, BOs, controllers, agents and transaction parties against current UN and Kenya Domestic Lists at onboarding, on list or customer changes, ongoing and before relevant transactions. On a match, without delay or notice freeze all directly, indirectly, wholly or jointly owned or controlled funds or other assets, including derived and directed assets. Do not make funds, assets, economic resources or services available. Within 24 hours report frozen assets, actions and attempts through the Committee Secretary at the FRC, file an STR where required and release nothing without authorization or valid delisting.
- Evidence to retain
- Screening, freeze, prohibition, reporting and release audit trail
- Primary citation
- TFS Regulations 2024, regs. 6-9 and 15; PF Regulations, regs. 6-8; FRC TFS Guidance 2025
Apply the correct PEP treatment
- Implementation action
- Identify foreign, domestic and international-organization PEPs, including relevant family and close associates. For foreign PEPs, obtain senior approval, establish source of wealth and funds and enhance monitoring. Apply the same measures to domestic and international-organization PEPs where higher risk.
- Evidence to retain
- PEP result, approval and source analysis
- Primary citation
- POCAMLR 2023, reg. 26
Use adverse information proportionately
- Implementation action
- Review reliable public information where relevant to the risk assessment and record why information is material or not material.
- Evidence to retain
- Adverse-information review and decision
- Primary citation
- Risk-based control
Check higher-risk jurisdictions
- Implementation action
- Use current FATF and local guidance as an input to risk, without applying automatic blanket rejection solely because a jurisdiction is under increased monitoring.
- Evidence to retain
- Geographic-risk rationale
- Primary citation
- FATF Kenya country profile
Approve or decline with rationale
- Implementation action
- Record the outcome, conditions, review frequency and person authorized to approve the relationship.
- Evidence to retain
- Customer acceptance decision
- Primary citation
- Institution risk-based program
05Enhanced due diligenceApply additional controls when higher money-laundering, terrorist-financing or proliferation-financing risk is identified.5 items+
Collect further identity information
- Implementation action
- Obtain information beyond standard CDD that helps establish identity and risk.
- Evidence to retain
- EDD information pack
- Primary citation
- POCAMLR 2023, reg. 20
Apply extra verification
- Implementation action
- Use additional reliable sources or corroboration to verify supplied documents and claims.
- Evidence to retain
- Independent corroboration record
- Primary citation
- POCAMLR 2023, reg. 20
Obtain senior-management approval where required
- Implementation action
- Require senior approval when the applicable high-risk or PEP rule requires it and document any conditions.
- Evidence to retain
- Approval and conditions
- Primary citation
- POCAMLR 2023, regs. 20 and 26
Establish source of funds and, where applicable, wealth
- Implementation action
- Understand and verify source of funds and establish source of wealth where the applicable PEP or sector rule requires it or where justified by the documented higher risk.
- Evidence to retain
- Source evidence and plausibility analysis
- Primary citation
- POCAMLR 2023, regs. 20 and 26
Increase ongoing monitoring
- Implementation action
- Set tighter review cycles, transaction scrutiny and escalation thresholds for high-risk relationships.
- Evidence to retain
- EDD monitoring plan
- Primary citation
- POCAMLR 2023, reg. 20
06Ongoing due diligence and monitoringKeep customer knowledge current and compare actual activity with the expected profile.5 items+
Monitor transactions and behavior
- Implementation action
- Scrutinize transactions throughout the relationship for consistency with the customer, business, risk profile and source of funds.
- Evidence to retain
- Monitoring rules, alerts and case outcomes
- Primary citation
- POCAMLR 2023, regs. 34-35
Refresh customer information
- Implementation action
- Update CDD based on risk, material changes, trigger events and the adequacy of previously collected data.
- Evidence to retain
- Review schedule and refreshed file
- Primary citation
- POCAMLR 2023, reg. 14(6)
Rescreen relevant parties
- Implementation action
- Rescreen customers and connected persons when lists or risk profiles change and at a frequency aligned to risk.
- Evidence to retain
- Rescreening history
- Primary citation
- Institution risk-based program
Review complex or unusual activity
- Implementation action
- Examine the background and purpose of complex, unusually large or unusual-pattern transactions and retain the analysis.
- Evidence to retain
- Investigation notes and supporting evidence
- Primary citation
- POCAMLA, s.44(1), (4)-(5); POCAMLR 2023, regs. 34-35
Control relationship changes
- Implementation action
- Trigger reassessment for ownership, directors, address, activity, products, geography or transaction-profile changes.
- Evidence to retain
- Event-driven review log
- Primary citation
- Ongoing CDD obligation
07Reporting, records and assuranceEscalate suspicion promptly, retain evidence and test whether the program works.9 items+
Escalate suspicious activity internally
- Implementation action
- Give staff a documented route to escalate unusual or suspicious activity to the MLRO without alerting the customer.
- Evidence to retain
- Internal escalation procedure and training
- Primary citation
- POCAMLA and POCAMLR 2023
Report suspicion to the FRC
- Implementation action
- Submit suspicious transactions or activities, including attempts and available supporting information, within two days after the suspicion arose. Do not substitute a working-day interpretation.
- Evidence to retain
- Filed report reference and decision timeline
- Primary citation
- POCAMLA, s.44(2)-(3); POCAMLR 2023, reg. 38
File applicable cash transaction reports
- Implementation action
- Report cash transactions equivalent to or above USD 15,000 under regulation 40, ordinarily by Friday or the end of the reporting week, or immediately where circumstances require.
- Evidence to retain
- CTR rules, filed reports and reconciliation
- Primary citation
- POCAMLR 2023, reg. 40
Complete annual regulatory reporting
- Implementation action
- Submit the annual compliance report for the preceding calendar year and the FRC-requested list of customers from higher-risk countries by 31 January.
- Evidence to retain
- Submitted reports and approval record
- Primary citation
- POCAMLR 2023, reg. 44; FRC compliance guidance
Prevent tipping off
- Implementation action
- Restrict knowledge of reports and investigations and avoid disclosures that could prejudice the process.
- Evidence to retain
- Access controls and communications guidance
- Primary citation
- POCAMLA reporting framework
Retain CDD and transaction records
- Implementation action
- Retain CDD, account, transaction, correspondence and written-analysis records for at least seven years after the transaction, account closure or relationship termination, and longer where the FRC requires this in writing.
- Evidence to retain
- Retention schedule and retrieval test
- Primary citation
- POCAMLA, s.46; POCAMLR 2023, reg. 42
Make records swiftly available
- Implementation action
- Ensure customer and transaction records can be supplied promptly to competent authorities on appropriate authority.
- Evidence to retain
- Retrieval procedure and audit trail
- Primary citation
- POCAMLA, s.46; POCAMLR 2023, reg. 42
Respect privileged-sector reporting rules
- Implementation action
- For advocates, notaries and other independent legal professionals, first determine whether the activity falls within section 48. Suspicion outside the privilege exemption remains reportable and may be submitted through the LSK. Reporting is not required for information protected by professional secrecy or privilege while ascertaining a legal position or representing a client in judicial, administrative, arbitration or mediation proceedings. Document the assessment without improper disclosure.
- Evidence to retain
- Activity-scope, privilege and reporting-route assessment
- Primary citation
- POCAMLA, ss.18, 44(3)-(3C) and 48; LSK guidance
Train and independently test
- Implementation action
- Train relevant personnel, conduct the mandatory independent audit and track remediation to closure.
- Evidence to retain
- Training register, audit report and action plan
- Primary citation
- POCAMLR 2023, regs. 11(d) and 43

7 control areas and 45 implementation checks, with direct regulatory sources.
Download the Kenya KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Kenya implementation checklist. Regulatory review date: 14 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.0, reviewed 14 July 2026
Trusted by leading compliance teams
Primary-source register
11 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- POCAMLA, latest available versionKenya Law
- POCAMLA Regulations, 2023Kenya Law
- Compliance obligationsFinancial Reporting Centre
- Due diligence guidance for DNFBPs, March 2025Financial Reporting Centre
- Prevention of Terrorism TFS Regulations, 2024Kenya Law
- Prevention of Proliferation Financing RegulationsKenya Law
- Targeted financial sanctions guidance, July 2025Financial Reporting Centre
- Virtual Asset Service Providers Act, 2025Kenya Law
- Companies Beneficial Ownership Information RegulationsKenya Law
- FATF jurisdictions under increased monitoring, 19 June 2026FATF
- Unlocking Business Trust with KYB in KenyaVOVE ID - contextual reading
Direct answers
Kenya KYC, KYB and AML questions
What are the main KYC requirements in Kenya?+
A reporting institution should identify and verify the customer from reliable independent sources, identify and reasonably verify the beneficial owner, understand the purpose and intended nature of the relationship, and conduct ongoing due diligence. The exact data and evidence depend on customer type and risk.
What documents are commonly collected for KYB in Kenya?+
The 2023 Regulations address evidence of registration or incorporation, governing documents, registered and principal business addresses, transaction authority, details of natural persons who manage, control or own the entity, beneficial-owner information and financial statements, subject to the applicable circumstances and exceptions.
How long must AML records be kept in Kenya?+
The 2023 Regulations require reporting institutions to retain transaction records and CDD-related records for a minimum of seven years from completion of the transaction or termination of the account or business relationship.
When must suspicious activity be reported in Kenya?+
Section 44(2)-(3) of POCAMLA and regulation 38 of the 2023 Regulations require suspicious transactions or activities, including attempted transactions, to be reported to the Financial Reporting Centre within two days after the suspicion arose. The legislation does not describe these as working days, and supporting information and directly relevant documentation should accompany the report.
Does Kenya's FATF monitoring status require rejecting Kenyan customers?+
No. Kenya remained under increased monitoring as of 19 June 2026, but FATF does not call for automatic enhanced due diligence or wholesale de-risking solely because a jurisdiction is listed. Apply a proportionate risk-based approach and current Kenyan high-risk-country requirements.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 14 July 2026 · Version 1.0
This is a general Kenya baseline, not legal advice or a complete sector checklist. Requirements differ by institution type, supervisor, product, customer and risk. Apply the relevant CBK, CMA, IRA, SASRA, LSK, VASP or other sector overlay and confirm current law and regulator guidance before implementation.