KYC, KYB & AML compliance checklist
Rwanda KYC, KYB & AML
A practical implementation checklist for reporting persons operating in Rwanda, with a focused payment and financial-services overlay. It translates the January 2025 AML/CFT/CPF law, current FIC rules, National Bank of Rwanda requirements, RDB beneficial-ownership filings and Rwanda's personal-data law into operational controls and reviewable evidence.
- Reviewed
- 15 July 2026
- Version
- 1.0
- control areas
- 7
- implementation checks
- 43
Direct answer
What does the Rwanda compliance checklist cover?
The Rwanda checklist translates primary KYC, KYB and AML rules into 7 control areas and 43 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Financial intelligence unit
- Financial Intelligence Centre (FIC Rwanda)
- Current AML law
- Law No. 001/2025 of 22 January 2025
- Suspicion reporting
- Within 24 hours
- Threshold-report filing
- Within 2 working days
- Record retention
- At least 10 years
- FATF public list
- Not listed as of 19 June 2026
Implementation detail
Rwanda compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Scope, registration and governanceConfirm reporting-person status, register with FIC and establish accountable, independently tested AML/CFT/CPF governance.6 items+
Map every reporting person and supervisor
- Implementation action
- Document which entities and activities are reporting persons under Law No. 001/2025. Map FIC obligations and the competent sector supervisor, including the National Bank of Rwanda for licensed financial institutions and payment services, CMA for capital markets and the relevant authority for DNFBPs or other regulated activities.
- Evidence to retain
- Entity-perimeter memo, licence inventory, supervisor matrix and named obligations owner
- Primary citation
- Law 001/2025; FIC mandate; applicable sector law
Register the reporting person with FIC
- Implementation action
- Use the FIC system to register each reporting person. Under the operational rule, register a new reporting person within 30 days after receiving its incorporation certificate and notify FIC in writing of changes to registered particulars within seven working days.
- Evidence to retain
- FIC registration, incorporation date, filing receipt, particulars register and change notifications
- Primary citation
- FIC Regulation 002/FIC/2023, arts. 3-4
Appoint and notify a managerial compliance officer
- Implementation action
- Designate an AML/CFT/CPF compliance officer at managerial level with sufficient authority, independence, access and resources. Notify FIC of the appointment within three working days and maintain effective cover for absence or vacancy.
- Evidence to retain
- Appointment, role profile, reporting line, FIC notification, access rights, deputy and resource assessment
- Primary citation
- FIC Regulation 002/FIC/2023, art. 5
Make the board and senior management accountable
- Implementation action
- Require governing and senior-management bodies to approve the programme, enterprise risk assessment, customer-acceptance standard and material remediation; receive meaningful compliance and risk reporting; and ensure the compliance function can escalate without interference.
- Evidence to retain
- Approved framework, committee terms, minutes, dashboards, decisions and remediation tracking
- Primary citation
- Law 001/2025; FIC Regulation 002/FIC/2023
Maintain complete internal controls
- Implementation action
- Document risk assessment, customer acceptance, CDD, beneficial ownership, PEP, sanctions, transaction monitoring, wires, reporting, records, training, privacy, agents and outsourcing. Payment service providers must maintain comprehensive and effective AML/CFT policies, procedures and controls and may not invoke banking, professional or contractual secrecy to avoid reporting.
- Evidence to retain
- Policy suite, regulatory mapping, approvals, version history, PSP control mapping and staff attestations
- Primary citation
- Law 001/2025; Payment Service Provider Regulation 2023, art. 46
Independently audit at least annually
- Implementation action
- Maintain an independent audit function that evaluates compliance with AML/CFT/CPF policies, procedures, controls, CDD, monitoring, reporting and records. Conduct the audit at institution level at least annually and track findings to verified closure.
- Evidence to retain
- Audit independence, annual plan, report, sampled controls, issue register, owners and closure proof
- Primary citation
- FIC Regulation 002/FIC/2023, art. 25
02Customer due diligence and remote onboardingIdentify customers, representatives and beneficial owners from reliable sources before service, with equivalent controls for remote channels.6 items+
Identify and verify every customer
- Implementation action
- Identify permanent and occasional customers, whether natural persons, legal persons or legal arrangements, using reliable and independent documents, data or information. Verify any representative's authority and identity and prohibit anonymous or fictitious accounts.
- Evidence to retain
- Identity record, verification response, representative authority, source provenance and quality review
- Primary citation
- AML Law 001/2025, arts. 12-13
Understand purpose and expected activity
- Implementation action
- Record the purpose and intended nature of the relationship, occupation or business, products, expected volumes, counterparties, countries, channels and source of funds where required by risk. Use the profile as the monitoring baseline.
- Evidence to retain
- Customer profile, expected-activity fields, source evidence, risk rationale and review triggers
- Primary citation
- Law 001/2025, art. 13; FIC Regulation 002/FIC/2023, arts. 6 and 9
Apply every CDD trigger and threshold
- Implementation action
- Apply CDD when establishing a relationship; for an occasional cash transaction at or above FRW 10 million; an occasional wire transfer at or above FRW 1 million; a casino transaction at or above FRW 3 million; a real-estate purchase or sale regardless of amount; and a precious-metals or precious-stones cash transaction at or above FRW 15 million. Aggregate linked transactions, and also apply CDD whenever suspicion exists or prior identification data may be unreliable.
- Evidence to retain
- CDD trigger and equality matrix, linked-transaction logic, completed CDD cases, suspicion escalation and refreshed verification
- Primary citation
- AML Law 001/2025, art. 12; FIC Regulation 002/FIC/2023, art. 13
Verify before or during establishment
- Implementation action
- Verify the customer and beneficial owner before or during establishment or an occasional transaction. Use deferred completion only within the narrow statutory conditions, complete it as soon as reasonably practicable and control the risks before verification finishes.
- Evidence to retain
- Verification chronology, permitted-deferral rationale, limits, approval, completion evidence and overdue restrictions
- Primary citation
- Law 001/2025, art. 16
Stop or exit when CDD cannot be completed
- Implementation action
- When required CDD cannot be completed, do not open the account, begin the relationship or perform the transaction; terminate an existing relationship where required; and consider filing an STR where necessary. If CDD itself would tip off a suspected customer, stop the CDD process and file an STR.
- Evidence to retain
- Rejected or terminated case, reason, compliance decision, STR assessment, filing receipt and non-tipping-off controls
- Primary citation
- Law 001/2025, arts. 19-20
Make remote verification equivalent to face-to-face
- Implementation action
- Identify and verify a non-face-to-face customer using procedures equivalent to face-to-face controls and implement measures against single or multiple fraudulent applications. Add document authenticity, biometric or equivalent, device, contact and behavioural controls proportionate to risk.
- Evidence to retain
- Remote-control design, document result, liveness or equivalent evidence, device signals, fraud rules, exceptions and quality review
- Primary citation
- FIC Regulation 002/FIC/2023, art. 11
03KYB and beneficial ownershipVerify legal existence and authority, trace ownership and effective control, and reconcile AML analysis with RDB filings.6 items+
Verify the legal person or arrangement
- Implementation action
- Verify legal name, form, existence, registered and principal addresses, governing instruments, senior managers, registration, tax identifiers, licences and representative authority using RDB, ORG and other reliable independent sources.
- Evidence to retain
- Registry extract, governing documents, tax and licence checks, managers, representative authority and discrepancy log
- Primary citation
- Law 001/2025, arts. 13-14; RDB/ORG records
Identify the ultimate natural-person owner or controller
- Implementation action
- Identify and take reasonable measures to verify the natural persons who ultimately hold a controlling ownership interest. If ownership does not reveal the beneficial owner or creates doubt, identify natural persons exercising control by other means; if none is identified, record the relevant senior managing official as the statutory fallback.
- Evidence to retain
- Ownership chart to natural persons, controlling-interest rationale, other-control analysis, verification and fallback record
- Primary citation
- Law 001/2025, arts. 2 and 14
Identify all legal-arrangement parties
- Implementation action
- For a trust, identify and verify the settlor, trustee, protector where applicable, beneficiaries or class of beneficiaries and any other natural person exercising ultimate effective control. Apply equivalent analysis to a similar arrangement.
- Evidence to retain
- Trust or arrangement instrument, party register, identity verification, control map and beneficiary-class analysis
- Primary citation
- Law 001/2025, art. 14
Apply the current AML beneficial-owner cascade
- Implementation action
- Law No. 001/2025 sets no percentage. Operationalise FIC Guidelines No. 002/2025 by identifying natural persons with more than 25% of shares, at least 25% of voting rights, control by other means and, only if no natural person is identified, the senior-management fallback. Use a conservative at-least-25% implementation where systems need one threshold and document the official-text distinction.
- Evidence to retain
- Ownership and voting chart, threshold logic, other-control analysis, verification, fallback record and legal rationale
- Primary citation
- AML Law 001/2025, art. 14; FIC Guidelines 002/2025
File, reconcile and refresh beneficial ownership
- Implementation action
- For RDB/ORG filing, apply the registry guidance's at-least-25% ownership step plus control by other means. Keep the RDB and AML analyses separate and reconcile discrepancies. Update beneficial-owner information within 15 days after a change, after identifying outdated information, or after a specified risk trigger. Refresh higher-, medium- and lower-risk BO files at least every one, two and three years respectively, and maintain the internal register and supporting evidence.
- Evidence to retain
- Separate AML and registry analyses, RDB filing, 15-day change, stale-data and risk-trigger workflow, 1/2/3-year review calendar, internal register and reconciliation
- Primary citation
- FIC Guidelines 002/2025, section 6.3; RDB BO Guidelines
Verify licences and operating reality
- Implementation action
- Confirm the entity holds every required sector licence; business registration alone does not authorise financial services. Compare directors, locations, websites, settlement accounts, contracts and transaction activity to the claimed business and escalate shell or nominee indicators.
- Evidence to retain
- NBR or CMA licence check, RDB record, operating-footprint evidence, account match, adverse information and decision
- Primary citation
- NBR Consumer Protection Booklet; applicable licensing law
04Risk, PEPs and targeted financial sanctionsOperate documented enterprise and customer risk assessment, mandatory PEP controls and immediate 2025 TFS measures.6 items+
Assess enterprise-wide ML/TF/PF risk
- Implementation action
- Identify, assess, understand and document risks from customers, beneficial owners, countries, products, services, transactions, delivery channels, technologies, agents and outsourcing. Update the assessment after material change and use Rwanda's national risk assessment as an input.
- Evidence to retain
- Approved methodology, data inputs, assessment, residual-risk decisions, update log and remediation plan
- Primary citation
- Law 001/2025; Payment Service Provider Regulation 2023, art. 46; Rwanda NRA 2024
Assign and explain relationship risk
- Implementation action
- Assign a documented rating using ownership, PEP, sanctions, business, product, channel, transaction and geographic factors. Ensure risk drives CDD depth, approval, monitoring and review frequency and that overrides are controlled.
- Evidence to retain
- Scoring methodology, input data, rating, override record, approval and next-review date
- Primary citation
- Law 001/2025; FIC Regulation 002/FIC/2023
Identify PEPs and connected persons
- Implementation action
- Use risk-management systems to identify whether a customer or beneficial owner is a foreign or domestic PEP or a person entrusted by an international organisation, and identify covered family members and close associates. Repeat screening throughout the relationship.
- Evidence to retain
- PEP screening, relationship map, source data, alert decisions and rescreening
- Primary citation
- Law 001/2025, art. 22
Apply mandatory PEP controls
- Implementation action
- Obtain senior-management approval before establishing or continuing the relationship, take reasonable measures to establish source of wealth and source of funds and apply enhanced ongoing monitoring proportionate to risk.
- Evidence to retain
- Senior approval, source-of-wealth and source-of-funds substantiation, EDD file and monitoring plan
- Primary citation
- Law 001/2025, art. 22
Screen UN and domestic lists continuously
- Implementation action
- Screen customers, beneficial owners, controllers, representatives and transaction parties against current UN and Rwanda domestic designation lists before onboarding, before relevant transactions and immediately after FIC list notices. Subscribe to and operationalise current FIC public notices.
- Evidence to retain
- Authoritative-list inventory, notice subscription, update log, screening results, alert decisions and QA
- Primary citation
- Law 001/2025; FIC Regulation 001/FIC/2025; FIC Public Notices
Execute the exact TFS without-delay sequence
- Implementation action
- After FIC notification, complete screening within five hours. If there is no match, report that outcome within two hours after screening. If there is a match, apply the targeted financial sanctions and prohibitions and report within six hours after screening. Complete the full designation-to-screening-to-freezing-and-reporting process within 24 hours after designation. Without prior notice freeze or seize linked assets, prohibit direct or indirect availability and submit the required STR or SAR when designated assets are identified.
- Evidence to retain
- Designation, notification and screening timestamps, two-hour no-match report or six-hour match action, asset scope, freeze record, STR or SAR receipt and release authority
- Primary citation
- FIC Regulation 001/FIC/2025; January 2026 Without-Delay Guidance
05Enhanced due diligence and higher-risk controlsApply proportionate additional measures to higher-risk customers, jurisdictions, structures, products and counterparties.5 items+
Apply EDD when risk or suspicion is elevated
- Implementation action
- Obtain additional identity, ownership, business, purpose, source-of-funds and source-of-wealth information; require senior approval; deepen and increase monitoring; and document why residual risk remains acceptable.
- Evidence to retain
- EDD checklist, corroborating records, approval, monitoring plan and review date
- Primary citation
- Law 001/2025, art. 18; FIC Regulation 002/FIC/2023, art. 8
Apply high-risk-country measures without blanket de-risking
- Implementation action
- Apply enhanced CDD and any FIC or supervisory countermeasures to relationships and transactions involving identified high-risk countries. Document the current authority, risk basis and humanitarian or legitimate-activity safeguards.
- Evidence to retain
- Country-risk methodology, FIC notice, EDD, countermeasure decision and exception governance
- Primary citation
- FIC Regulation 002/FIC/2023, arts. 16 and 24
Control correspondent banking
- Implementation action
- Before entering a cross-border correspondent or similar relationship, understand the respondent's business, ownership, reputation, supervision and AML controls; establish responsibilities; obtain senior approval; and prohibit shell-bank exposure and uncontrolled payable-through access.
- Evidence to retain
- Correspondent questionnaire, public-source checks, control assessment, approval, agreement and review
- Primary citation
- Law 001/2025, art. 23; FIC Regulation 002/FIC/2023, art. 17
Control third-party reliance
- Implementation action
- Rely on another party only under the statutory conditions, obtain CDD information immediately, ensure records can be supplied within 24 hours after request and retain ultimate responsibility. Apply group controls where reliance is intra-group.
- Evidence to retain
- Reliance due diligence, agreement, information receipt, 24-hour retrieval test, monitoring and exit plan
- Primary citation
- Law 001/2025, art. 28
Investigate complex and unusual transactions
- Implementation action
- Pay special attention to complex, unusual and large transactions with no apparent lawful or economic purpose. Examine background, source and purpose, document findings and submit the required report to FIC when the applicable rule requires.
- Evidence to retain
- Alert, investigation chronology, customer explanation, corroboration, written findings and FIC receipt
- Primary citation
- FIC Regulation 002/FIC/2023, art. 12
06Monitoring, wires and payment-service controlsKeep CDD current, monitor activity and preserve complete originator and beneficiary information through every payment role.7 items+
Monitor transactions throughout the relationship
- Implementation action
- Monitor actual activity against the customer's purpose, business, source, expected behaviour and risk. Use appropriately calibrated scenarios, link related transactions and provide investigators with complete data and case context.
- Evidence to retain
- Monitoring coverage, data lineage, scenario inventory, alert cases, tuning, QA and metrics
- Primary citation
- Law 001/2025; Payment Service Provider Regulation 2023, art. 46
Refresh on risk and trigger events
- Implementation action
- Update identity, beneficial ownership, business, expected activity, PEP, sanctions and risk information according to materiality and risk and after ownership changes, unusual activity, document expiry, new products or adverse information.
- Evidence to retain
- Risk-based review schedule, trigger feed, updated CDD, rescreening, rating and overdue controls
- Primary citation
- Law 001/2025, art. 17; FIC Regulation 002/FIC/2023, art. 15
Capture complete wire information
- Implementation action
- Apply the required originator and beneficiary data to domestic and cross-border wire transfers, with the exact threshold treatment in the current FIC rule. Preserve account or unique-reference traceability and required identity and address or equivalent data.
- Evidence to retain
- Payment-message specification, validation, domestic and cross-border samples, traceability and exception report
- Primary citation
- Law 001/2025, arts. 25-27; FIC Regulation 002/FIC/2023, arts. 18 and 22
Apply ordering, intermediary and beneficiary duties
- Implementation action
- Detect missing wire information and apply role-specific verification, retention, suspension, rejection, monitoring and STR decisions. Where one provider controls both sides, consider all information from the ordering and beneficiary sides when deciding whether to report.
- Evidence to retain
- Role matrix, missing-data rules, repair and reject queue, decision records, retention and STR receipt
- Primary citation
- Law 001/2025, arts. 25-27; FIC Regulation 002/FIC/2023, arts. 19-21
Obtain approval for agents and material outsourcing
- Implementation action
- Obtain prior National Bank of Rwanda approval before using a payment agent and prior written approval before outsourcing an important operational function. Perform due diligence, contract for AML, privacy, records, audit and incident rights, train and monitor approved agents and providers, and retain accountability for outsourced controls.
- Evidence to retain
- NBR approvals, due-diligence file, contract, agent and provider registers, training, monitoring, incidents and termination log
- Primary citation
- Law 061/2021 governing payment systems, arts. 29-30
Perform PSP CDD before service and retain payer/payee identity
- Implementation action
- A payment service provider must perform CDD and KYC before providing service and retain identification information for the payer and payee regardless of their location. Map this requirement into onboarding, payment-message, retention and retrieval controls.
- Evidence to retain
- Pre-service CDD gate, payer and payee fields, retention configuration and retrieval test
- Primary citation
- Payment Service Provider Regulation 2023, art. 45
Prevent shell-bank relationships
- Implementation action
- A payment service provider and financial institution must not deal with shell banks or shell financial institutions or permit its accounts to be used by them. Screen counterparties and escalation indicators before and during the relationship.
- Evidence to retain
- Counterparty policy, ownership and physical-presence checks, attestations, screening and review
- Primary citation
- Payment Service Provider Regulation 2023, art. 46; Law 001/2025
07Reporting, records, privacy and assuranceMeet FIC reporting clocks, preserve ten-year evidence and operate Rwanda's controller and processor registration, breach and transfer controls.7 items+
File suspicious activity within 24 hours
- Implementation action
- Promptly submit an STR or suspicious-activity report to FIC within 24 hours using the template and electronic or other channel set by FIC. Report regardless of amount when the suspicion test is met and maintain strict non-tipping-off controls.
- Evidence to retain
- Case chronology, compliance decision, FIC report, submission receipt, access log and communication controls
- Primary citation
- FIC Regulation 002/FIC/2023, art. 29; Law 001/2025, arts. 32 and 34
Submit threshold reports within two working days
- Implementation action
- Under the published operational rule, report financial-institution cash at or above FRW 10 million, subject to the stated inter-financial-institution exception; an occasional-customer transaction above FRW 10 million; casino cash at or above FRW 3 million; precious-metals or stones dealer cash at or above FRW 15 million; and wire transfers at or above FRW 1 million. Preserve those greater-than versus at-least operators. Linked transactions are reportable when their combined total exceeds the applicable threshold. File the FIC template within two working days from the transaction day and confirm continued applicability under Law No. 001/2025.
- Evidence to retain
- Threshold and equality register, combined-total linked logic, reports, two-working-day timeline, receipts and legal confirmation
- Primary citation
- FIC Regulation 002/FIC/2023, arts. 31-32
Retain retrievable records for at least ten years
- Implementation action
- Keep domestic and international transaction records, CDD files, business correspondence, analysis results, STRs and other FIC reports and supporting documents for at least ten years after the transaction, relationship termination or occasional transaction. Ensure swift retrieval for competent authorities.
- Evidence to retain
- Retention schedule, repository controls, sample retrieval, legal holds, access logs and deletion evidence
- Primary citation
- Law 001/2025, art. 21
Register controllers and processors and appoint DPOs when triggered
- Implementation action
- Before operating as a data controller or processor, register with the Data Protection and Privacy Office and maintain a valid certificate. Apply for renewal within 45 working days before expiry and report changes. Appoint a personal-data protection officer when one of Article 40's statutory triggers applies, rather than treating appointment as universal. A non-established organisation processing data of people in Rwanda must designate a written representative in Rwanda.
- Evidence to retain
- Registration certificate, renewal diary, change notifications, Article 40 DPO assessment and appointment where triggered, local representative and processing inventory
- Primary citation
- Law 058/2021, arts. 29-36 and 40; DPO Registration Guide
Apply lawful, transparent and secure processing
- Implementation action
- Map processing to a lawful basis, give required notices, limit data to stated purposes, maintain accuracy, define retention, support data-subject rights, log processing, protect data with appropriate technical and organisational measures and contractually govern processors.
- Evidence to retain
- Lawful-basis register, notices, records of processing, rights log, security tests, access review and processor agreements
- Primary citation
- Law 058/2021, arts. 4-17, 37-42 and 46-47
Meet the 48-hour and 72-hour breach clocks
- Implementation action
- Communicate a personal-data breach to the supervisory authority within 48 hours after awareness and submit the detailed breach report no later than 72 hours. A processor must notify the controller within 48 hours. Communicate high-risk breaches to affected data subjects unless a statutory exception applies.
- Evidence to retain
- Incident chronology, 48-hour notice, 72-hour report, processor notice, subject communication and remediation
- Primary citation
- Law 058/2021, arts. 43-45; DPO Breach Report Form
Separate cross-border transfer grounds from offshore storage approval
- Implementation action
- For a transfer outside Rwanda, document one of Article 48's alternative lawful grounds and the applicable safeguards; supervisory authorisation is not the only possible transfer basis. Separately, obtain the valid Article 50 certificate authorising storage of personal data outside Rwanda. Record destination, purpose, recipient, security, contracts and the selected statutory route.
- Evidence to retain
- Data map, Article 48 transfer assessment, safeguards, Article 50 storage certificate, contracts, security assessment and transfer register
- Primary citation
- Law 058/2021, arts. 48 and 50; DPO transfer, storage and retention guidance

7 control areas and 43 implementation checks, with direct regulatory sources.
Download the Rwanda KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Rwanda implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.0, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
24 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Law No. 001/2025 on prevention and punishment of money laundering, terrorist financing and proliferation financingFinancial Intelligence Centre Rwanda · primary
- Regulation No. 002/FIC/2023 relating to AML/CFT/CPFFinancial Intelligence Centre Rwanda · primary
- Regulation No. 001/FIC/2025 on targeted financial sanctionsFinancial Intelligence Centre Rwanda · primary
- FIC Guidelines No. 002/2025 on Transparency and Beneficial OwnershipFinancial Intelligence Centre Rwanda · primary
- Guidance on implementation of the without-delay principle for TFS, January 2026Financial Intelligence Centre Rwanda · primary
- FIC Guideline No. 001/2025 on AML/CFT/CPF Independent AuditFinancial Intelligence Centre Rwanda · primary
- FIC record-keeping guidance, January 2026Financial Intelligence Centre Rwanda · primary
- Law No. 002/2025 amending the law governing the Financial Intelligence CentreFinancial Intelligence Centre Rwanda · primary
- FIC public notices on current targeted financial sanctionsFinancial Intelligence Centre Rwanda · primary
- FIC mandate and reporting responsibilitiesFinancial Intelligence Centre Rwanda · primary
- 2024 National Money Laundering and Terrorist Financing Risk AssessmentFinancial Intelligence Centre Rwanda · primary
- Regulation governing payment service providers, 2023National Bank of Rwanda · primary
- Law No. 061/2021 governing the payment systemNational Bank of Rwanda · primary
- Payment systems legal instrumentsNational Bank of Rwanda · primary
- Beneficial Ownership GuidelinesRwanda Office of the Registrar General · primary
- Beneficial Ownership Requirements and FormsRwanda Office of the Registrar General · primary
- Beneficial Owners RegisterRwanda Development Board · primary
- Rwanda personal-data and privacy law guidanceData Protection and Privacy Office · primary
- Personal-data sharing, transfer, storage and retention guidanceData Protection and Privacy Office · primary
- Controller and processor registration guideData Protection and Privacy Office · primary
- Personal Data Breach Report FormData Protection and Privacy Office · primary
- Jurisdictions under Increased Monitoring, 19 June 2026FATF · primary
- AML Compliance in Rwanda 2026VOVE ID · contextual
- KYB in Rwanda 2026VOVE ID · contextual
Direct answers
Rwanda KYC, KYB and AML questions
What is Rwanda's current AML law?+
Law No. 001/2025 of 22 January 2025 is the current national AML/CFT/CPF law. It repealed Law No. 028/2023.
How quickly must an STR be filed in Rwanda?+
The published FIC operational regulation requires prompt submission within 24 hours using the FIC template and prescribed channel.
What beneficial-owner percentage applies?+
Law No. 001/2025 sets no percentage. FIC Guidelines No. 002/2025 use more than 25% of shares, at least 25% of voting rights, control by other means and senior-management fallback; RDB guidance uses at least 25% plus control. A conservative at-least-25% implementation should document these official-text distinctions and keep AML and registry analyses separate.
What are Rwanda's personal-data breach deadlines?+
The controller communicates the breach to the supervisory authority within 48 hours after awareness and submits the detailed report no later than 72 hours. A processor notifies the controller within 48 hours.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.0
This checklist is general compliance information, not legal advice. Law No. 001/2025 is the current national AML/CFT/CPF baseline and repealed Law No. 028/2023. FIC Regulation No. 002/FIC/2023 is cited because FIC continues to publish it for operational reporting, CDD, wire and threshold rules; confirm its current application and any replacement or amendment directly with FIC. Add the current sector rules of the National Bank of Rwanda, Capital Market Authority, insurance, gaming, professional or other competent supervisor before implementation.