KYC, KYB & AML compliance checklist
Mozambique KYC, KYB & AML
Operational evidence prompts for Mozambique's amended AML/CFT/CPF framework, GIFiM reporting, customer and beneficial-owner due diligence, CREL declarations, sanctions, payments, e-money, agents, VASPs and the current privacy and FATF position.
- Reviewed
- 15 July 2026
- Version
- 1.8
- control areas
- 11
- implementation checks
- 48
Direct answer
What does the Mozambique compliance checklist cover?
The Mozambique checklist translates primary KYC, KYB and AML rules into 11 control areas and 48 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Financial intelligence unit
- GIFiM
- Principal AML law
- Law 14/2023, as amended by Law 3/2024
- STR timing and method
- Electronic filing under GIFiM procedures within 24 hours of detection or execution; if impossible, no later than 3 working days; physical only exceptionally where technical conditions are unavailable
- Threshold reports
- Cash at or above MZN 250,000; other transactions at or above MZN 750,000; aggregate fractionation daily, weekly and monthly and report on the aggregate
- Occasional-transaction CDD
- At or above MZN 900,000, plus every statutory non-value trigger
- Beneficial-owner indicator
- Law 14/KYB/CREL: at least 10%; Decree 53 Article 13 indicator: more than 10%; always test other control and use fallback only after exhausting all possible means with no suspicion
- General AML retention
- 10 years after account closure or end of the relationship
- Targeted sanctions
- Freeze immediately, no later than 24 hours after dissemination, and report to GIFiM within the same 24-hour period
- FATF status
- Not under increased monitoring or a call for action at 15 July 2026; removed 24 October 2025
Implementation detail
Mozambique compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Scope, authorities and licensingStart with the regulated activity, reporting-entity category and responsible supervisor. AML duties do not replace market-entry authorization.4 items+
Classify the entity and activity under the AML law
- Implementation action
- Map every product and service to the financial-entity or designated non-financial category in Articles 4-5, including real estate, casinos, precious metals/stones, vehicles, legal/accounting and trust/company services where applicable.
- Evidence to retain
- Perimeter memorandum, product inventory, legal-entity chart, reporting-entity classification and approval record.
- Primary citation
- Law 14/2023, Articles 4-5
Map GIFiM and the competent supervisor
- Implementation action
- Treat GIFiM as the FIU and identify the Article 55 supervisor: Banco de Moçambique for its financial sectors, the insurance supervisor, Inspecção-Geral de Jogos, a professional order, responsible ministry, or GIFiM where no other supervisor exists.
- Evidence to retain
- Supervisor map, registrations, regulatory contacts, filing credentials and inspection correspondence.
- Primary citation
- Law 14/2023, Articles 55-60; Law 2/2018; GIFiM official mandate
Obtain authorization before regulated financial or payment activity
- Implementation action
- Classify banking, credit, e-money, funds-transfer and payment-aggregation models and obtain Banco authorization before incorporation or operation as required.
- Evidence to retain
- License or authorization, application pack, Banco correspondence, approved business plan and conditions register.
- Primary citation
- Law 20/2020, Article 16; Decree 50/2024, Articles 52-59; Banco licensing portal
Separate sandbox testing from production authorization
- Implementation action
- Use Banco's regulatory sandbox only within approved test conditions and establish an authorized-partner or licensing route before production launch.
- Evidence to retain
- Sandbox approval, test scope, participant safeguards, exit plan, partner license or production authorization.
- Primary citation
- Banco de Moçambique regulatory sandbox official pages
02Governance and risk-based controlsControls must reflect documented ML, TF and PF risk rather than a threshold-only compliance model.4 items+
Maintain an enterprise ML/TF/PF risk assessment
- Implementation action
- Assess customers, products, services, transactions, channels, technology and geographies; document inherent risk, controls, residual risk and mitigation.
- Evidence to retain
- Approved risk assessment, methodology, source data, risk appetite, action plan and review minutes.
- Primary citation
- Law 14/2023, Articles 12-13; Decree 53/2023, Articles 4-9
Maintain governance, compliance and independent review
- Implementation action
- Assign accountable senior management and compliance responsibility, maintain proportionate internal controls and test their design and operation independently.
- Evidence to retain
- Governance charter, appointments, management reports, compliance plan, independent-review reports and remediation evidence.
- Primary citation
- Law 14/2023, Articles 46-50; Notice 10/GBM/2024 for Banco-supervised institutions
Train relevant personnel and agents
- Implementation action
- Deliver role-based training on CDD, beneficial ownership, PEPs, monitoring, reporting, sanctions and confidentiality, with sector-specific agent controls.
- Evidence to retain
- Curriculum, attendance, assessments, role matrix, refresher calendar and agent training records.
- Primary citation
- Law 14/2023, Article 51; Notice 10/GBM/2024, Articles 121-126
Apply the Banco sector overlay only where applicable
- Implementation action
- For Banco-supervised institutions, map Notice 10/GBM/2024 requirements to controls, including governance, annual reporting, transfers, agents, e-money and VASPs.
- Evidence to retain
- Obligations register, Notice-to-control mapping, annual return and supervisory submissions.
- Primary citation
- Notice 10/GBM/2024, which repealed Notice 5/GBM/2022
03Natural-person customer due diligenceCDD is event-driven. Values below a threshold do not override suspicion, transfer, relationship or data-quality triggers.4 items+
Trigger CDD at every statutory event
- Implementation action
- Complete CDD when establishing a relationship; for an occasional transaction at or above MZN 900,000; for any domestic or international transfer; on suspicion regardless of value; or where prior identification data are doubtful.
- Evidence to retain
- Trigger matrix, system rules, linked-transaction aggregation, onboarding record and exception logs.
- Primary citation
- Law 14/2023, Article 15(1)-(2)
Collect prescribed natural-person data
- Implementation action
- Capture name/signature, birth details, nationality, sex, marital status/regime, physical address, contacts, parentage, employment/profession and income, identity-document details, NUIT and the nature and amount of income.
- Evidence to retain
- Completed customer profile, source documents, NUIT, address and occupation/income evidence.
- Primary citation
- Decree 53/2023, Article 10(1)
Verify identity using valid authoritative evidence
- Implementation action
- Verify with a valid document issued by a competent authority and containing a current photograph where applicable; authenticate documents and resolve inconsistencies.
- Evidence to retain
- Document image, authenticity result, issuer/expiry data, discrepancy resolution and reviewer audit trail.
- Primary citation
- Decree 53/2023, Article 11(1)-(2)
Control any low-risk alternative identification
- Implementation action
- Use the two-witness/community-authority alternative only where Article 11's low-risk conditions are satisfied and the rationale is documented; never use it to bypass suspicion or higher risk.
- Evidence to retain
- Low-risk assessment, witness identities and standing, authority confirmation, approval and enhanced follow-up where needed.
- Primary citation
- Decree 53/2023, Article 11(2)(a)(xi)
04KYB, CREL and beneficial ownershipThe customer file must explain the entity's existence, purpose, authority, ownership and ultimate natural-person control and reconcile that analysis with CREL.4 items+
Identify and verify the legal person
- Implementation action
- Obtain name, seat/main establishment, contacts, senior managers, NUIT, purpose, activity/group, holders of at least 10% of capital or voting rights, representatives and powers; verify through CREL/public and constitutive records.
- Evidence to retain
- Current CREL certificate, statutes/formation instrument, NUIT, licenses, management record, mandates and foreign-document authentication where applicable.
- Primary citation
- Law 14/2023, Article 15(2)(f), as amended; Decree 53/2023, Articles 10(3) and 11(3)-(5)
Identify the ultimate beneficial owner
- Implementation action
- Apply Law 14's at-least-10% direct/indirect ownership or control test, including collective-investment units, and control by other means. Separately record Decree 53 Article 13's more-than-10% ownership indicator. Current official CREL implementation guidance uses at least 10%. For trusts, identify settlor, trustee, protector if any, beneficiaries/classes and other ultimate controllers.
- Evidence to retain
- Dated ownership chart, registry/share records, voting/control agreements, separate threshold calculations, identity verification and trust instrument.
- Primary citation
- Law 14/2023, Article 3 and annexed glossary definition of ‘beneficiário efectivo,’ plus Article 22; Decree 53/2023, Articles 10 and 13; official CREL beneficial-owner implementation guidance, pending primary full-text confirmation for the registry element
Use the senior-manager fallback correctly
- Implementation action
- Record a senior managing official only after exhausting all possible means, where there is no suspicion, and no natural person has been identified or doubts remain that an identified person is the beneficial owner.
- Evidence to retain
- Exhaustive search steps, negative or doubtful findings, no-suspicion conclusion, control analysis, escalation approval and senior-manager identity verification.
- Primary citation
- Decree 53/2023, Article 13(1)(d)
Follow and reconcile current CREL beneficial-owner implementation guidance
- Implementation action
- Current official registry guidance instructs filing at incorporation, annually in the month of incorporation and within 30 days of a change. Treat the annual and 30-day periods as implementation guidance pending confirmation from a working official primary full-text copy, not as independently verified statutory deadlines. Capture the requested identity, NUIT, contact, percentage/type of control, effective date and supporting documents.
- Evidence to retain
- CREL declaration and receipt, guidance-based calendar, change log, beneficial-owner register, primary-source confirmation tracker and reconciliation to the KYC file.
- Primary citation
- Official CREL beneficial-owner implementation guide; article-level Decree-Law 1/2024 confirmation pending
05PEPs, enhanced due diligence and remote onboardingHigher-risk relationships require a reasoned escalation, not merely a screening flag.5 items+
Identify PEP exposure across the relationship
- Implementation action
- Screen customers, representatives and beneficial owners for domestic, foreign and international-organization PEP status, including family members and close associates.
- Evidence to retain
- List sources, screening timestamps, match adjudication, relationship mapping and review history.
- Primary citation
- Law 14/2023, Articles 23-24; Decree 53/2023, Article 44
Apply PEP approval, source and monitoring controls
- Implementation action
- Obtain senior-management approval before starting or continuing the relationship, establish and evidence source of wealth and source of funds, and apply permanent enhanced monitoring.
- Evidence to retain
- Approval, wealth/funds evidence, plausibility assessment, EDD plan, alerts and periodic review.
- Primary citation
- Law 14/2023, Article 23, as amended by Law 3/2024
Do not auto-expire PEP controls
- Implementation action
- Recognize the statutory 2-year formal post-office period, then continue proportionate measures while residual PEP risk remains.
- Evidence to retain
- Office-leaving date, 2-year review, residual-risk assessment, approval to retain or reduce controls.
- Primary citation
- Law 14/2023, Article 23(3)-(4)
Control non-face-to-face onboarding
- Implementation action
- For financial institutions, complete all statutory CDD remotely using permitted secure identification/authentication methods, assess channel risk and require in-person identification where a discrepancy arises.
- Evidence to retain
- Remote CDD policy, consent where applicable, identity/liveness results, device/channel data, discrepancy and in-person resolution record.
- Primary citation
- Decree 53/2023, Article 48
Apply documented EDD to higher risk
- Implementation action
- Investigate purpose, frequency, complexity, economic rationale, amounts, source/destination, geography, payment means and profile; obtain additional verification, higher approval, intensified monitoring and shorter refresh where required.
- Evidence to retain
- EDD questionnaire, source evidence, transaction rationale, approval, review frequency and enhanced-monitoring results.
- Primary citation
- Law 14/2023, Article 21; Decree 53/2023, Article 18
06Monitoring, failed CDD and GIFiM reportingMonitoring must join customer context, threshold aggregation, suspicious-activity escalation and confidential reporting.5 items+
Monitor the relationship and refresh CDD
- Implementation action
- Compare activity with known business, risk and source of funds; update immediately on doubt or suspicion and at intervals not exceeding 1 year for high-risk and 3 years for low-risk customers.
- Evidence to retain
- Expected-activity profile, monitoring rules, alert/case history, refresh calendar, updated documents and reviewer sign-off.
- Primary citation
- Law 14/2023, Article 15; Decree 53/2023, Articles 15 and 41
Stop or exit when CDD cannot be completed
- Implementation action
- Where identification or verification duties cannot be completed, refuse to establish the business relationship or carry out the occasional transaction or operation; terminate an existing relationship where the identified risk cannot otherwise be managed; record the written conclusions; and submit an STR to GIFiM. Consult the competent judicial or police authorities before termination where it could prejudice an investigation. Stop further CDD where continuing would risk tipping off the customer.
- Evidence to retain
- System stop, refusal/exit decision, written conclusions, declined-operation log, authority-consultation record and STR receipt.
- Primary citation
- Law 14/2023, Articles 15(6) and 41; Decree 53/2023, Article 21
Submit STRs electronically under GIFiM procedures
- Implementation action
- Escalate immediately and submit through the registered goAML channel within 24 hours of detecting suspicion or executing the transaction. If that is impossible, submit no later than 3 working days from detection or execution. Use physical documents only exceptionally where electronic technical conditions are unavailable and follow GIFiM procedures.
- Evidence to retain
- Detection/execution time, internal escalation, case analysis, goAML receipt/reference, impossibility rationale and exceptional physical-submission evidence where used.
- Primary citation
- Law 14/2023, Article 44(1)-(2); Decree 53/2023, Articles 26-27; GIFiM goAML portal
Submit statutory threshold reports
- Implementation action
- Report cash transactions at or above MZN 250,000 and other transactions at or above MZN 750,000, whether single or fractionated. Detect and aggregate fractionation daily, weekly and monthly and report when the aggregate reaches the threshold. Use an extended arrangement only with supervisor authorization after GIFiM consultation and never beyond 6 months.
- Evidence to retain
- Daily/weekly/monthly aggregation logic, completeness reconciliation, submitted report and receipt, plus supervisor authorization, GIFiM consultation and duration where extended.
- Primary citation
- Law 14/2023, Article 44(3); Decree 53/2023, Article 24(3)-(5)
Preserve abstention and tipping-off controls
- Implementation action
- Where founded suspicion requires abstention, stop execution and notify the Public Prosecutor and GIFiM immediately. Never reveal an STR, related communication or consideration to the customer or a third party.
- Evidence to retain
- Confidential abstention log, authority communication, suspension instruction, role-based access and neutral customer communication.
- Primary citation
- Law 14/2023, Articles 42 and 53; Decree 53/2023, Articles 22-23
07Payments, wires, thresholds, agents and VASPsPayment architecture changes both licensing and transaction-data obligations. Sector rules are additional to general AML duties.6 items+
Carry exact international wire-transfer information
- Implementation action
- Include originator name, account if used, address, national-ID or customer-ID number, date and place of birth; beneficiary name and account if used; beneficiary bank; and transaction value. Use a unique traceable reference where no account exists and keep the message attached through the chain.
- Evidence to retain
- Exact-field message mapping, required-field validation, unique-reference logic, intermediary preservation and sampled transfer record.
- Primary citation
- Decree 53/2023, Articles 49(6), 50, 52 and 54.
Constrain the reduced-information wire rule
- Implementation action
- For cross-border transfers below MZN 30,000, retain the originator and beneficiary names plus both account numbers, or a unique transaction reference where no account exists. At MZN 30,000 or more, apply the full Article 50 information requirements and verify the beneficiary where required. Suspicion overrides reduced-information treatment.
- Evidence to retain
- Below-MZN-30,000 boundary rule, minimum-field test, full-information boundary, beneficiary verification, suspicion override and transfer record.
- Primary citation
- Decree 53/2023, Articles 49(6), 50, 52 and 54.
Treat missing wire information by institution role
- Implementation action
- The originating bank must abstain from execution where required information is absent. Intermediary and beneficiary banks must detect missing information and use effective risk-based rules to execute, reject or suspend and determine follow-up. At MZN 30,000 or more, the beneficiary bank verifies the beneficiary if not previously verified and retains the information.
- Evidence to retain
- Originator hard stop, intermediary and beneficiary exception queues, risk disposition, follow-up, beneficiary verification and retained record.
- Primary citation
- Decree 53/2023, Articles 49(6), 50, 52 and 54.
Control payment and e-money agents
- Implementation action
- Perform fit-and-proper and risk assessment, impose contractual controls, train and monitor agents, maintain a current list and report suspension/termination as required; terminate transfer/e-money agent contracts where AML/CFT/CPF training has not occurred for more than 1 year; retain principal responsibility for agent activity.
- Evidence to retain
- Agent due diligence, contract, risk score, training, monitoring, current list, annual assessment and termination/report record.
- Primary citation
- Decree 50/2024, Article 53; Notice 10/GBM/2024, Articles 121-126, specifically Article 122(2) for the training termination rule
Obtain VASP authorization and registration
- Implementation action
- Before providing exchange, transfer, custody/administration or covered issuer-related virtual-asset services, obtain Banco authorization/registration and assess local scope for foreign services offered to residents.
- Evidence to retain
- Perimeter analysis, Notice 4 application, registration/authorization, controller and governance files, local representation and product inventory.
- Primary citation
- Law 14/2023, Articles 25-26; Notice 4/GBM/2023; Notice 10/GBM/2024, Articles 143 onward
Keep cross-border cash rules distinct
- Implementation action
- For travellers or logistics, check the current exchange/customs declaration law. AT's portal currently displays values above MZN 10,000 national currency and USD 10,000 foreign currency; do not use these as customer-reporting thresholds.
- Evidence to retain
- Current AT check, declaration, currency/value record and customs receipt where applicable.
- Primary citation
- Law 14/2023, Article 45; Autoridade Tributária e-Viajante portal
08Targeted financial sanctionsTargeted financial sanctions require immediate list ingestion, screening, freezing and reporting, independent of ordinary transaction monitoring.4 items+
Screen current UN and national designations
- Implementation action
- Screen customers, beneficial owners, representatives, counterparties and transactions using current UN consolidated and nationally disseminated lists, including change-triggered rescreening.
- Evidence to retain
- List source/version/time, ingestion log, population coverage, screening results and match decisions.
- Primary citation
- Law 15/2023, as amended by Law 4/2024; Decree 54/2023; GIFiM TFS pages
Freeze immediately and without prior authorization
- Implementation action
- Freeze designated funds and other assets without delay and without prior notice or authorization; complete the statutory process within 24 hours after communication of an international list or dissemination of a national list.
- Evidence to retain
- International-list communication or national-dissemination time, alert time, asset block time, asset inventory and decision record.
- Primary citation
- Law 15/2023, Articles 39-40, as amended by Law 4/2024; Decree 54/2023
Notify all required authorities and report freeze details
- Implementation action
- On identifying linked assets, notify the Procurador-Geral da República, competent supervisor and GIFiM immediately. Within 24 hours of freezing or unfreezing, report to GIFiM the amount, asset type, date and time, including measures involving transactions or attempts.
- Evidence to retain
- Notices to PGR, supervisor and GIFiM; GIFiM receipt; amount/type/date/time schedule; attempted-transaction details and follow-up correspondence.
- Primary citation
- Law 14/2023, Article 63; Law 15/2023, Articles 39-40; Law 4/2024; Decree 54/2023
Control false positives and unfreezing
- Implementation action
- Keep assets blocked while the match is unresolved and unfreeze only through the prescribed verification/authority process, retaining the full rationale and authorization.
- Evidence to retain
- Match analysis, identifiers compared, authority contact, unfreeze authorization, time stamps and customer communication review.
- Primary citation
- Law 15/2023, Articles 30 and 39-42, as amended by Law 4/2024; Decree 54/2023
09Retention and regulator accessRecords must be complete, reconstructable, confidential and promptly retrievable for competent authorities.4 items+
Retain the general AML file for 10 years
- Implementation action
- Keep customer, representative and beneficial-owner identification, risk assessments, reconstructable transactions, correspondence, reports and analyses for 10 years after account closure or relationship end.
- Evidence to retain
- Retention schedule, closure/end date, immutable archive, sample retrieval and deletion hold.
- Primary citation
- Law 14/2023, Article 43; Decree 53/2023, Articles 29-30
Support extensions and legal holds
- Implementation action
- Prevent deletion where a competent authority requires longer retention or an investigation, litigation or sanctions hold applies.
- Evidence to retain
- Legal-hold policy, authority request, affected-record inventory, release approval and audit log.
- Primary citation
- Law 14/2023, Article 43
Preserve separate statutory record classes
- Implementation action
- Track sector-specific and document-specific clocks, including specified 5-year training/internal-review and trust-administration records, without shortening the general 10-year customer and transaction file.
- Evidence to retain
- Record-class inventory, legal mapping, minimum period, system rule and disposal approval.
- Primary citation
- Law 14/2023, Articles 43, 48 and 51; Decree 53/2023
Provide timely competent-authority access
- Implementation action
- Index records so transactions, ownership/control, CDD decisions, reports and control operation can be produced promptly while restricting unauthorized access.
- Evidence to retain
- Retrieval test, regulator response pack, access logs, chain of custody and confidentiality approvals.
- Primary citation
- Law 14/2023, Articles 22, 43 and 55-60
10Personal data and privacy statusThe review found constitutional and electronic-transactions protections but no confirmed comprehensive personal-data protection act in force. The March 2026 instrument is a bill.4 items+
Apply operative constitutional protections
- Implementation action
- Respect Article 71 restrictions and access/rectification protections for personal data while documenting the statutory basis for AML collection, screening, retention and authority disclosure.
- Evidence to retain
- Data inventory, purpose/legal-basis mapping, notice, access/rectification workflow and disclosure register.
- Primary citation
- Constitution in force, Assembly of the Republic official page, Article 71
Secure electronic records and transactions
- Implementation action
- Protect systems and data against unauthorized access and apply authentication, access control, logging, integrity and incident-response measures appropriate to the service.
- Evidence to retain
- Security policy, access matrix, authentication configuration, logs, vulnerability remediation and incident records.
- Primary citation
- Electronic Transactions Law 3/2017
Do not overstate unconfirmed general privacy duties
- Implementation action
- Do not label GDPR-style controller registration, DPIA, breach-notification or international-transfer deadlines as generally enacted Mozambican requirements without a current sector-specific or enacted primary source.
- Evidence to retain
- Current-law check, sector mapping, legal advice where needed and product requirement traceability.
- Primary citation
- INTIC proposal updates dated 5 March, 28 May and 29 May 2026
Track the personal-data protection bill
- Implementation action
- Monitor parliamentary passage, promulgation, gazette publication, commencement and transitional periods, then update controls only against the enacted text. INTIC's May updates still described the comprehensive measure as a proposal under parliamentary consideration.
- Evidence to retain
- Legislative tracker, official gazette check, impact assessment and approved implementation plan.
- Primary citation
- INTIC official March and May 2026 proposal-status updates
11Evidence packs and assuranceA defensible program links each legal obligation to a control, owner, record and tested outcome.4 items+
Maintain a customer and KYB evidence pack
- Implementation action
- Bundle verified identity, authority, purpose, expected activity, ownership/control, CREL reconciliation, risk rating, source evidence and approvals with timestamps and provenance.
- Evidence to retain
- Indexed customer file and completeness checklist.
- Primary citation
- Law 14/2023, Articles 15 and 22; Decree 53/2023, Articles 10-18
Maintain reporting and sanctions evidence packs
- Implementation action
- Preserve alert-to-decision timelines, STR and threshold receipts, non-report rationale, abstention records, list versions, freeze timestamps and GIFiM notifications.
- Evidence to retain
- Case file, goAML receipt, threshold reconciliation, sanctions file and authority correspondence.
- Primary citation
- Law 14/2023, Articles 42-45 and 53; Law 15/2023; Decrees 53/2023 and 54/2023
Test data and control completeness
- Implementation action
- Sample onboarding, refresh, monitoring, wires, reporting, sanctions, retention and agent controls; reconcile source populations to processed and reported outcomes.
- Evidence to retain
- Test plan, samples, findings, root-cause analysis, action owner and closure proof.
- Primary citation
- Law 14/2023, Articles 46-51; Notice 10/GBM/2024 where applicable
Track date-sensitive legal transitions
- Implementation action
- Recheck FATF statements, sanctions lists, National Payments System bill promulgation/commencement, privacy-bill enactment, sector notices and thresholds before launch and at periodic legal review.
- Evidence to retain
- Legal inventory, source URLs, last-check date, change assessment, approvals and dataset revision log.
- Primary citation
- FATF statements dated 24 October 2025 and 19 June 2026; Assembly and INTIC official status pages

11 control areas and 48 implementation checks, with direct regulatory sources.
Download the Mozambique KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Mozambique implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.8, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
26 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Law 14/2023 of 28 August: AML/CFT/CPF preventive lawBanco de Moçambique / Boletim da República · Primary legislation
- Law 3/2024 and Law 4/2024 amendmentsBanco de Moçambique / Boletim da República · Amending legislation
- Decree 53/2023 and Decree 54/2023 regulationsBanco de Moçambique / Boletim da República · Regulations
- Notice 10/GBM/2024 AML/CFT/CPF directivesBanco de Moçambique · Financial-sector notice
- GIFiM mandateGIFiM · Official authority page
- goAML reporting portalGIFiM · Official reporting channel
- Law 15/2023 on terrorism and targeted financial sanctionsBanco de Moçambique / Boletim da República · Primary legislation
- GIFiM targeted-financial-sanctions documentsGIFiM · Official sanctions resource
- United Nations Security Council consolidated sanctions listUnited Nations Security Council · Official sanctions list
- CREL beneficial-owner filing guideLegal Entities Registry service · Official registry guidance
- Banco de Moçambique institution licensingBanco de Moçambique · Official licensing page
- Decree 50/2024 regulating credit institutions and financial companiesBanco de Moçambique / Boletim da República · Prudential and licensing regulation
- Notice 4/GBM/2023: VASP registration requirementsBanco de Moçambique · Virtual-asset sector notice
- Banco de Moçambique regulatory sandboxBanco de Moçambique · Official fintech page
- National payments law proposal approved for submission to Parliament, 18 February 2026Government of Mozambique · Official legislative-status page
- Constitution of the Republic of MozambiqueInstituto Nacional de Segurança Social de Moçambique · Constitution
- Electronic Transactions Law 3/2017Instituto Nacional das Comunicações de Moçambique · Primary legislation
- Personal-data protection bill sent for parliamentary debateINTIC · Official legislative-status notice
- Personal-data protection proposal remains before Parliament, 28 May 2026INTIC · Official legislative-status update
- INTIC privacy-law status update, 29 May 2026INTIC · Official legislative-status update
- Law 20/2020 on credit institutions and financial companiesBanco de Moçambique / Boletim da República · Primary legislation
- Notice 1/GBM/2026 creating the Mozambique Instant Payments SystemBanco de Moçambique / Boletim da República · Payments regulation
- Autoridade Tributária e-Viajante currency declaration portalAutoridade Tributária de Moçambique · Official declaration portal
- FATF Mozambique removal from increased monitoring, 24 October 2025Financial Action Task Force · Official public statement
- FATF jurisdictions under increased monitoring, 19 June 2026Financial Action Task Force · Official public statement
- FATF high-risk jurisdictions subject to a call for action, 19 June 2026Financial Action Task Force · Official public statement
Direct answers
Mozambique KYC, KYB and AML questions
Who receives suspicious transaction reports in Mozambique?+
GIFiM is Mozambique's financial intelligence unit. Reporting entities register and submit electronically through GIFiM's goAML channel.
When must an STR be filed?+
Law 14/2023 requires immediate reporting once suspicion or reasonable grounds arise, including attempts. Decree 53/2023 requires electronic submission under GIFiM procedures within 24 hours of detection or execution; if impossible, no later than 3 working days. Physical submission is exceptional where technical conditions are unavailable. A value threshold does not replace an STR.
What happens when identification or verification duties cannot be completed?+
Where identification or verification duties cannot be completed, refuse to establish the business relationship or carry out the occasional transaction or operation; terminate an existing relationship where the identified risk cannot otherwise be managed; record the written conclusions; and submit an STR to GIFiM. Consult the competent judicial or police authorities before termination where it could prejudice an investigation. Stop further CDD where continuing would risk tipping off the customer. Citation: Law 14/2023, Articles 15(6) and 41; Decree 53/2023, Article 21
What transaction thresholds are reportable?+
Article 44(3) requires reports for cash transactions at or above MZN 250,000 and other transactions at or above MZN 750,000, whether single or fractionated. Decree 53/2023 requires daily, weekly and monthly fractionation detection and reporting on the aggregate. Any extended arrangement requires supervisor authorization after GIFiM consultation and cannot exceed 6 months.
When is customer due diligence required for an occasional transaction?+
The general occasional-transaction trigger is MZN 900,000 or more. CDD is also required for a relationship, any domestic or international transfer, suspicion regardless of value, and doubts about prior identification data.
Who is a beneficial owner?+
Law 14 applies at least 10% direct or indirect ownership/control, including collective-investment units, and control by other means; Decree 53 Article 13 separately uses more than 10% as an ownership indicator; KYB collection and CREL use at least 10%. The senior managing official fallback is available only after all possible means are exhausted, no suspicion exists, and no natural person is identified or doubts remain.
When must CREL beneficial-owner information be updated?+
Current official CREL implementation guidance instructs covered entities to declare at incorporation, annually in the month of incorporation and within 30 days of a change. Pending confirmation against a working official primary full-text copy of Decree-Law 1/2024, the annual and 30-day periods are presented as registry guidance, not independently verified statutory deadlines.
How long must AML records be retained?+
The general customer, beneficial-owner, transaction, correspondence, report and analysis file is retained for 10 years after account closure or the end of the relationship, subject to a longer authority requirement or legal hold.
Do payment, e-money, agent and VASP businesses need Banco approval?+
Regulated financial, payment and virtual-asset activities require the applicable Banco de Moçambique authorization or registration. Agent and sandbox arrangements do not replace the principal's responsibility or production licensing.
Does Mozambique have a comprehensive personal-data protection act in force?+
No comprehensive act was confirmed in force at 15 July 2026. Constitutional Article 71 and the Electronic Transactions Law remain relevant. INTIC's March and 28-29 May 2026 updates still describe a proposal under parliamentary consideration, so proposal duties must not be stated as current law.
Is Mozambique on the FATF grey list?+
No at the review date. FATF removed Mozambique from increased monitoring on 24 October 2025, and Mozambique is absent from both FATF statements of 19 June 2026. Institutions must still apply a current risk-based approach and monitor later statements.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.8
Prepared and reviewed on 15 July 2026 for operational compliance planning. It is not legal advice. Confirm the current consolidated Portuguese legislation, sector directions, sanctions lists, licensing perimeter, gazette status of the proposed national payments law, status and transition terms of the personal-data protection bill, and FATF statements before implementation. Thresholds and procedures in this guide are scope-specific and must not be generalized across sectors.