KYC, KYB & AML compliance checklist
Uganda KYC, KYB & AML
A practical implementation checklist for fintechs, payment providers, financial institutions and other accountable persons operating in Uganda.
- Reviewed
- 15 July 2026
- Version
- 1.9
- control areas
- 9
- implementation checks
- 51
Direct answer
What does the Uganda compliance checklist cover?
The Uganda checklist translates primary KYC, KYB and AML rules into 9 control areas and 51 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Financial intelligence unit
- Financial Intelligence Authority (FIA)
- Large cash reporting
- Conservatively UGX 20,000,000 or more
- Record retention
- At least 10 years from the applicable identity, transaction/correspondence or relationship-closure date, whichever is later
- Annual compliance return
- Due by 31 January
- FATF public list
- Exited increased monitoring on 23 February 2024
Implementation detail
Uganda compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Regulatory perimeter and governanceEstablish the licences, accountable-person status and governance structure before onboarding customers.6 items+
Map the regulatory perimeter
- Implementation action
- Document each product, customer type, payment flow and delivery channel; identify the applicable accountable-person category and sector supervisor, including Bank of Uganda licensing where relevant.
- Evidence to retain
- Approved perimeter memo, product inventory and legal sign-off
- Primary citation
- AMLA Cap. 118, Second Schedule; FIA registration guidance; Bank of Uganda supervision framework
Register with FIA
- Implementation action
- Register the entity as an accountable person using the prescribed process and maintain the registration particulars.
- Evidence to retain
- FIA registration acknowledgement and entity profile
- Primary citation
- AMLA Cap. 118, s.21(pb); AML Regulations 2015, reg. 4
Report registration changes
- Implementation action
- Notify FIA using the prescribed form within 15 days after a change to registered particulars.
- Evidence to retain
- Change log, Form 2 and submission receipt
- Primary citation
- FIA Registration Guidelines for Accountable Persons
Appoint and empower the MLCO
- Implementation action
- Every accountable person must appoint or designate an MLCO in a senior managerial position with sufficient competence and experience and notify FIA on Form 3. The internal auditor is ineligible; the CEO is ineligible except for a sole proprietorship or single-member company. Notify cessation on Form 3 within 15 days. Give the MLCO unrestricted access to relevant information and responsibility for FIA liaison, the internal escalation system and external reporting.
- Evidence to retain
- Board appointment, competence assessment, eligibility check, Form 3 notices, access profile, escalation procedure and goAML role
- Primary citation
- AMLA Cap. 118, s.6(m); AML Regulations 2015, regs. 6-7, as amended by AML (Amendment) Regulations 2023, reg. 5 [01][02][20]
Approve an AML/CFT programme
- Implementation action
- Maintain board-approved policies, procedures and controls covering risk assessment, CDD, reporting, records, sanctions, training and independent audit.
- Evidence to retain
- Current policy suite, board minutes and control owners
- Primary citation
- AMLA Cap. 118; AML Regulations 2015; FIA Guidance Notes
Submit the annual compliance return
- Implementation action
- File the annual compliance report and current internal AML/CFT policy with FIA by 31 January following each calendar year.
- Evidence to retain
- Signed return, policy copy and FIA receipt
- Primary citation
- AML Regulations 2015, reg. 45
02Enterprise and customer riskUse documented risk assessment to determine control intensity and review frequency.5 items+
Assess enterprise ML/TF/PF risk
- Implementation action
- Assess customers, products, services, channels, technologies and geographies; document inherent risk, control effectiveness and residual risk.
- Evidence to retain
- Approved methodology, risk register and remediation plan
- Primary citation
- AMLA Cap. 118; AML Regulations 2015; FIA Guidance Notes
Assess new products before launch
- Implementation action
- Complete ML/TF/PF, fraud and privacy assessments before launching a product, delivery mechanism or material technology change.
- Evidence to retain
- Product risk assessment and approval gate
- Primary citation
- FIA Guidance Notes; risk-based obligations under AMLA
Risk-rate every relationship
- Implementation action
- Assign and explain a customer risk rating using customer, ownership, PEP, sanctions, product, channel, transaction and geographic factors.
- Evidence to retain
- Scoring model, input data, overrides and review date
- Primary citation
- AMLA Cap. 118, s.6; AML Regulations 2015
Apply enhanced due diligence
- Implementation action
- For high-risk relationships obtain additional identity, ownership, purpose, source-of-funds or source-of-wealth information, senior approval and enhanced monitoring.
- Evidence to retain
- EDD file, approvals and monitoring plan
- Primary citation
- AMLA Cap. 118, s.6; FIA Guidance Notes
Use simplified measures only after low-risk finding
- Implementation action
- Document the low-risk basis and never use simplified measures where suspicion exists or higher-risk factors apply.
- Evidence to retain
- Low-risk assessment and approved control configuration
- Primary citation
- AML Regulations 2015; FIA CDD guidance
03KYC and customer due diligenceIdentify and verify customers before or during establishment of the relationship, subject only to lawful risk-controlled exceptions.7 items+
Apply the prescribed natural-person identification rules
- Implementation action
- For a Ugandan citizen or person lawfully resident in Uganda, obtain the applicable national identification card or alien identification document and any one of the particulars listed in regulation 19(1)(b). Residential address is one alternative among those particulars, not a separately mandatory requirement. The other alternatives include contact details; an employer or senior-government-official introduction; TIN where applicable; for a student, a school introduction and student ID copy; a summary of business activities; or a sample signature. Separately obtain the customer's fingerprints as required by regulation 19(6). Resolve doubtful citizen identity with NIRA and doubtful immigration status with the Uganda Citizenship and Immigration Control Board. For a foreign citizen not resident in Uganda, apply regulation 20's prescribed identification and independent-verification requirements.
- Evidence to retain
- Regulation 19 or 20 identity checklist, applicable national identification card or alien identification document, one regulation 19(1)(b) particular, separate fingerprint record, independent verification and doubt-resolution record
- Primary citation
- AMLA Cap. 118, s.6; AML Regulations 2015, regs. 19-20, as amended by the AML (Amendment) Regulations 2023, including regs. 19(1)(b) and 19(6) [01][02][20]
Identify representatives
- Implementation action
- Verify every person acting for a customer and confirm authority through a mandate, resolution, power of attorney or equivalent record.
- Evidence to retain
- Representative KYC and authority instrument
- Primary citation
- AMLA Cap. 118, s.6; AML Regulations 2015
Understand purpose and intended nature
- Implementation action
- Record why the relationship is opened, expected products, counterparties, volumes, value, geographies and source of funds.
- Evidence to retain
- Customer profile and expected-activity baseline
- Primary citation
- AMLA Cap. 118, s.6; AML Regulations 2015
Apply every CDD trigger to the correct customer type
- Implementation action
- Apply CDD to every one-off transaction, including every domestic or international wire transfer, without treating 5,000 currency points as a minimum threshold for regulation 18 CDD. Track and apply the 5,000-currency-point threshold separately only where another applicable provision expressly retains it. Also apply CDD whenever suspicion exists or previously obtained identification data is doubtful. For established customers, maintain ongoing CDD throughout every business relationship and ensure required originator and beneficiary information accompanies applicable wire transfers.
- Evidence to retain
- One-off transaction trigger matrix, separately configured threshold controls, ongoing CDD schedule, wire-information controls and completed CDD cases
- Primary citation
- AMLA Cap. 118, ss.6-7; AML Regulations 2015, reg. 18 as substituted by AML (Amendment) Regulations 2023, reg. 16, and regs. 34-35 [01][02][20]
Resolve failed CDD safely
- Implementation action
- Do not open, transact or continue where mandatory CDD cannot be completed; consider ending the relationship and filing an STR without tipping off.
- Evidence to retain
- Decline or exit record and STR decision
- Primary citation
- AMLA Cap. 118; AML Regulations 2015
Monitor and refresh CDD
- Implementation action
- Keep identification and risk data current, scrutinise transactions against the profile and refresh promptly after triggers or according to risk.
- Evidence to retain
- Review schedule, trigger events and refreshed files
- Primary citation
- AMLA Cap. 118, ss.6 and 7; FIA Guidance Notes
Control non-face-to-face onboarding
- Implementation action
- Apply additional document-authenticity, liveness, device, fraud and impersonation controls so remote verification is reliable and risk-based.
- Evidence to retain
- Remote-onboarding standard, test results and exception queue
- Primary citation
- AMLA risk-based CDD duties; Data Protection and Privacy Act 2019
04KYB and beneficial ownershipVerify the legal person, its authority structure and the natural persons who ultimately own, control or benefit from it.7 items+
Verify legal existence
- Implementation action
- Obtain and independently verify incorporation or registration, legal form, registered office, business address, tax details, directors and current status with URSB or the competent registry.
- Evidence to retain
- Registry extract, constitutional documents and status check
- Primary citation
- AMLA Cap. 118, s.6; AML Regulations 2015
Identify the natural-person beneficial owners
- Implementation action
- Trace ownership and control through every layer to the natural persons who ultimately own or control the customer, the natural person on whose behalf a transaction is conducted, and natural persons who exercise ultimate effective control over a legal person or arrangement; do not rely only on nominees or directors.
- Evidence to retain
- Ownership chart, transaction-beneficiary analysis, declarations and independent corroboration
- Primary citation
- AMLA Cap. 118 as amended in 2017; s.6
Verify ownership and control
- Implementation action
- Corroborate shareholding, voting rights, appointment rights, agreements and other means of influence; resolve discrepancies before onboarding.
- Evidence to retain
- Share registers, filings, agreements and discrepancy log
- Primary citation
- AMLA Cap. 118; Companies (Beneficial Owners) Regulations 2023, as amended
Check and maintain the company BO register
- Implementation action
- Obtain evidence that the company keeps its BO register, files an updated consolidated register annually, reports changes or discrepancies in writing as soon as known and designates at least one Uganda-resident natural person to cooperate with competent authorities.
- Evidence to retain
- Certified BO register, annual consolidated filing, discrepancy notices, resident-contact designation and URSB receipts
- Primary citation
- Companies BO Regulations 2023; Amendment Regulations 2024, S.I. 35/2024
Verify directors and authorised signatories
- Implementation action
- Identify and screen directors, senior managers, account signatories and persons authorised to instruct the relationship.
- Evidence to retain
- KYC files, board resolution and mandate matrix
- Primary citation
- AMLA Cap. 118, s.6; AML Regulations 2015
Understand the business and funds
- Implementation action
- Establish business model, operating footprint, licences, expected activity, source of funds and, for higher risk, source of wealth.
- Evidence to retain
- Business profile, licence checks and financial evidence
- Primary citation
- AMLA Cap. 118; FIA Guidance Notes
Refresh KYB on change
- Implementation action
- Monitor registry, ownership, control, directors, licences and activity; repeat CDD after material change, doubt or suspicion.
- Evidence to retain
- Event monitoring and updated KYB pack
- Primary citation
- AMLA ongoing CDD obligations; BO Regulations 2023/2024
05PEPs, sanctions and targeted financial sanctionsApply enhanced PEP controls and execute targeted financial sanctions without delay.5 items+
Identify PEP exposure
- Implementation action
- Screen customers, beneficial owners and controllers for domestic and foreign PEP status and relevant family members or close associates.
- Evidence to retain
- Screening results, relationship map and review log
- Primary citation
- AMLA Cap. 118, s.6(g)
Apply mandatory PEP controls
- Implementation action
- Obtain senior-management approval, establish source of wealth and source of funds, and conduct enhanced ongoing monitoring.
- Evidence to retain
- Approval, source evidence and enhanced monitoring record
- Primary citation
- AMLA Cap. 118, s.6(g)
Screen within four hours
- Implementation action
- Screen customers, beneficial owners, controllers, payers and payees against applicable designations within four hours after receiving FIA information or a directive and keep authoritative lists and subscriptions current.
- Evidence to retain
- FIA receipt time, four-hour screening completion, list inventory and alert cases
- Primary citation
- Anti-Terrorism Regulations 2025, S.I. 75/2025
Freeze, stop and report without delay
- Implementation action
- For a match, without delay freeze or seize funds and economic resources, stop transactions and prevent direct or indirect availability. Report to FIA immediately after freezing and complete the full TFS process within 24 hours.
- Evidence to retain
- Match validation, freeze and stop records, immediate FIA report and 24-hour completion clock
- Primary citation
- Anti-Terrorism Regulations 2025, S.I. 75/2025
Control unfreezing and false positives
- Implementation action
- Release assets only under competent authority, delisting or applicable legal process; preserve documented false-positive and name-resolution decisions.
- Evidence to retain
- Legal authority, release approval and case file
- Primary citation
- Anti-Terrorism Regulations 2025, including delisting, unfreezing and court-authorisation provisions [10]
06Transaction monitoring and reportingDetect unusual activity and file prescribed reports through FIA channels without tipping off.9 items+
Monitor transactions continuously
- Implementation action
- Use scenarios and investigations calibrated to the customer's expected activity, products, channels, counterparties, geography, cash and fraud risk.
- Evidence to retain
- Scenario inventory, tuning evidence and alert outcomes
- Primary citation
- AMLA Cap. 118, s.7; AML Regulations 2015
File STRs within the exact clocks
- Implementation action
- File without delay and no later than two working days from formation of suspicion. Report TF or PF suspicion without delay. Submit supplemental information as soon as possible and within two working days after discovery.
- Evidence to retain
- Suspicion time, MLCO decision, STR, supplements and goAML receipts
- Primary citation
- AMLA Cap. 118, s.9; FIA reporting requirements; FIA STR Guidance Note effective 1 December 2024 [24][25]
Prevent tipping off
- Implementation action
- Restrict STR information, communications and case access; do not disclose that a report or investigation exists.
- Evidence to retain
- Access controls, scripts and training records
- Primary citation
- AMLA Cap. 118
Record and report large cash conservatively
- Implementation action
- Configure UGX 20 million or more to reconcile the Act's 'exceeding' language with regulation 39(3) and Form A's 'equivalent to or exceeding' wording. Record on the same day; aggregate multiple transactions by or on behalf of one person during one day; apply the supervised-accountable-person own-account exception only where its conditions are met; retain Form A for 10 years; and file the prior week's reports weekly by Tuesday through the current FIA channel.
- Evidence to retain
- Threshold rationale, same-day log, aggregation, exception record, Form A retention and weekly receipt
- Primary citation
- AMLA Cap. 118, ss.7-8; AML Regulations 2015, reg.39; FIA reporting requirements [24]
Carry and control complete wire information
- Implementation action
- Ensure complete originator and beneficiary fields accompany domestic and cross-border wires throughout the chain; verify both parties; monitor and report incomplete transfers; restrict or terminate persistently non-compliant counterparties; freeze designated-person wires and notify FIA immediately.
- Evidence to retain
- Message specification, verification, repair/reject queue, counterparty action and FIA reports
- Primary citation
- AML Regulations 2015, regs.34-35
Report covered international wires
- Implementation action
- Apply FIA international-wire reporting to accountable persons facilitating those transfers. Use the exception only for financial-institution-to-financial-institution transfers where both institutions act on their own behalf.
- Evidence to retain
- Report file, receipt and documented exception rationale
- Primary citation
- FIA reporting requirements for international wire transfers [24]
Apply the foreign-funding payout control where section 25 applies
- Implementation action
- If the institution is licensed under an Act of Parliament to facilitate cross-border money transfers and is therefore a supervised institution under the Protection of Sovereignty Act 2026, do not pay money to an agent of a foreigner unless that agent declares the source of funds and submits proof of the declaration required under section 22(1). Submit a monthly report to the relevant regulator covering funds transferred through the institution to an agent of a foreigner, in accordance with regulations prescribed by that regulator. Do not apply this control universally to institutions, recipients or transfers outside those statutory definitions.
- Evidence to retain
- Licence and applicability assessment, agent-of-a-foreigner status record, source-of-funds declaration, proof of the section 22(1) declaration, payout decision, monthly regulatory report and submission receipt
- Primary citation
- Protection of Sovereignty Act 2026, ss.1, 22(1) and 25; commenced 22 May 2026 [26][27]
Control outbound and inbound cross-border declarations
- Implementation action
- Embed procedures for currency or negotiable bearer instruments equivalent to or exceeding 1,500 currency points. For outbound movement, require Form C to be presented to a customs officer at the port of exit. For inbound movement, document the current textual conflict: AMLA section 10 and FIA operational guidance specify Form D, while regulation 10(1)(b), as substituted in 2023, states Form C. Follow current FIA operational guidance, seek written clarification where practicable and retain the guidance, advice and declaration evidence supporting the form used. Escalate a failure, refusal, neglect or false declaration under the prescribed process.
- Evidence to retain
- Customer notice, direction-specific workflow, completed declaration, retained FIA guidance or written clarification, customs handoff and escalation record
- Primary citation
- AMLA Cap. 118, s.10; AML Regulations 2015, reg. 10(1)(b) as substituted by AML (Amendment) Regulations 2023, reg. 10; FIA reporting guidance [01][02][20][24]
Respond to FIA and supervisor requests
- Implementation action
- Preserve search capability, legal review, secure production and an auditable response log for information requests, directives and examinations.
- Evidence to retain
- Request register, production package and approvals
- Primary citation
- AMLA Cap. 118, ss.20-21; sector supervisory powers
07Records, assurance and trainingUganda's AMLA section 7 uses record-specific trigger dates and an express whichever-is-later rule. Configure retention from the statutory event, not merely from file creation.3 items+
Apply the AMLA section 7 retention rule
- Implementation action
- Keep account files, business correspondence, analysis results, identity and beneficial-owner evidence, CDD information, transaction records and written findings for at least ten years from the date identity evidence was obtained, the date of the relevant transaction or correspondence, or the date the account is closed or business relationship ceases, whichever is later.
- Evidence to retain
- Retention schedule; trigger-date fields; automated legal hold; deletion approvals; sampled files showing the latest applicable trigger.
- Primary citation
- Anti-Money Laundering Act 2013 s.7, as substituted by Act 3 of 2017 [01][03]
Keep records reconstructable and immediately available
- Implementation action
- Maintain records sufficient to reconstruct each transaction for account holders and non-account holders, including amount and currency, and in a form that can be supplied immediately to the FIA or law-enforcement agencies.
- Evidence to retain
- Indexed archive; transaction reconstruction test; authority-request SLA test; access and integrity logs.
- Primary citation
- Anti-Money Laundering Act 2013 s.7(2), (4) and (6) [01]
Preserve specific cash and wire records
- Implementation action
- Keep Form A cash and monetary transaction records for ten years from transaction date, while also applying section 7's later-trigger rule to overlapping account, identity, correspondence and relationship records. Preserve wire-chain information and reporting evidence under the applicable regulations.
- Evidence to retain
- Form A archive; wire-message archive; overlap analysis; retrieval test.
- Primary citation
- Anti-Money Laundering Act 2013 ss.7-8; AML Regulations 2015 as amended [01][02]
08Payment systems and fintech operationsApply Bank of Uganda licensing and prudential controls to payment services, systems and fintech delivery.5 items+
Obtain the correct NPS licence
- Implementation action
- Classify each service or system under the National Payment Systems Act and Regulations and obtain the required payment-service-provider or payment-system-operator licence before operation.
- Evidence to retain
- Classification memo, application, licence and approved activities
- Primary citation
- National Payment Systems Act Cap. 59; NPS Regulations 2021
Meet capital and fit-and-proper requirements
- Implementation action
- Maintain the category-specific capital and ownership conditions and ensure directors, controllers and key officers satisfy current fit-and-proper requirements and approval processes.
- Evidence to retain
- Capital calculation, ownership chart, fit-and-proper files and BoU approvals
- Primary citation
- NPS Act Cap. 59; NPS Regulations 2021
Operate risk, conduct and transparency controls
- Implementation action
- Maintain governance, enterprise risk management, AML, fraud, complaints, pricing and disclosure controls proportionate to the service and BoU licence.
- Evidence to retain
- Policies, customer terms, fee disclosures, complaints and risk reports
- Primary citation
- NPS Act Cap. 59; NPS Regulations 2021; BoU Oversight Framework 2025
Govern agents and safeguard customer funds
- Implementation action
- Approve and monitor agents under the applicable rules, segregate or safeguard customer funds as required, reconcile balances and prevent use of safeguarded funds for the provider's own account.
- Evidence to retain
- Agent register, due diligence, safeguarding account, daily reconciliation and exceptions
- Primary citation
- NPS Act Cap. 59; NPS Regulations 2021
Maintain resilience and BoU reporting
- Implementation action
- Operate security, business continuity, incident response, outsourcing, recovery and data controls and submit all applicable operational, prudential, incident and statistical reports to BoU.
- Evidence to retain
- Resilience tests, incidents, vendor oversight and BoU receipts
- Primary citation
- NPS Regulations 2021; BoU Oversight Framework 2025
09Data protection and digital operationsThe Data Protection and Privacy Act 2019 and Regulations 2021 govern collection, processing, security, rights, breaches and transfers. Cross-border processing has two statutory routes under section 19.4 items+
Register and assign privacy accountability
- Implementation action
- Register with the PDPO where required, keep registration current, appoint accountable privacy leadership, maintain a processing inventory and complete the required annual compliance reporting and change notifications.
- Evidence to retain
- PDPO certificate; renewal calendar; privacy appointment; processing inventory; annual report and change notices.
- Primary citation
- Data Protection and Privacy Act 2019; Regulations 2021; PDPO organisation guidance [13][14][15]
Process lawfully and transparently
- Implementation action
- Document a lawful basis and purpose for identity, biometric, screening and monitoring data; provide required notices; minimise collection; keep information accurate; implement retention controls; and support authenticated data-subject rights.
- Evidence to retain
- Privacy notices; lawful-basis register; consent records where used; rights log; DPIAs; retention schedule.
- Primary citation
- Data Protection and Privacy Act 2019 ss.7-18; Regulations 2021 [13][14]
Notify every covered security breach immediately
- Implementation action
- Where there is reason to believe personal data has been accessed or acquired by an unauthorised person, notify the PDPO immediately and follow the prescribed response process. Do not add an unsupported materiality or qualifying-breach threshold.
- Evidence to retain
- Incident register; PDPO notice and timestamp; containment and investigation record; data-subject communications where directed.
- Primary citation
- Data Protection and Privacy Act 2019 s.23; PDPO organisation guidance [13][15]
Use only the section 19 cross-border routes
- Implementation action
- Before processing or storing personal data outside Uganda, ensure the destination has adequate protection at least equivalent to Uganda's Act or obtain the data subject's consent. Do not rely on contract performance or an unspecified statutory condition as a section 19 transfer ground.
- Evidence to retain
- Destination adequacy assessment or valid consent; transfer inventory; processor contract; security review.
- Primary citation
- Data Protection and Privacy Act 2019 s.19 [13]

9 control areas and 51 implementation checks, with direct regulatory sources.
Download the Uganda KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Uganda implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.9, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
26 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- 01Uganda Legal Information Institute (ULII) · Anti-Money Laundering Act 2013, consolidated with 2017 amendments
- 02Uganda Legal Information Institute (ULII) · Anti-Money Laundering Regulations 2015, with amendment history
- 03Uganda Legal Information Institute (ULII) · Anti-Money Laundering (Amendment) Act 2017
- 18Parliament of Uganda · Anti-Money Laundering (Amendment) Act 2022 (Act 18), official Acts 2022 collection
- 22Ministry of Justice and Constitutional Affairs Uganda · Official government record confirming the Anti-Money Laundering (Amendment) (No. 2) Act 2022 (Act 23); Parliament's public 2022 collection does not currently expose the Act 23 text
- 19Uganda Legal Information Institute (ULII) · Anti-Money Laundering (Amendment) Regulations 2022, S.I. 15 of 2022
- 20Financial Intelligence Authority Uganda · Anti-Money Laundering (Amendment) Regulations 2023, S.I. 2 of 2023
- 21Uganda Legal Information Institute (ULII) · Anti-Money Laundering (Amendment of Schedule 2) Instrument 2025, S.I. 17 of 2025
- 04Financial Intelligence Authority Uganda · Current accountable-person registration instructions
- 05Financial Intelligence Authority Uganda · Current goAML registration and STR information
- 24Financial Intelligence Authority Uganda · Direct reporting requirements for suspicious transactions, large cash transactions and international wire transfers
- 25Financial Intelligence Authority Uganda · Guidance Note on Suspicious Transaction Reports for Accountable Persons, effective 1 December 2024
- 06Financial Intelligence Authority Uganda · Current online registration guidelines
- 07Uganda Legal Information Institute (ULII) · Companies Act, current consolidated text
- 08Uganda Legal Information Institute (ULII) · Companies (Beneficial Owners) Regulations 2023
- 09Uganda Legal Information Institute (ULII) · Companies (Beneficial Owner) (Amendment) Regulations 2024, S.I. 35 of 2024, gazetted instrument record
- 10Uganda Legal Information Institute (ULII) · Anti-Terrorism Regulations 2025, SI 75 of 2025
- 11Uganda Legal Information Institute (ULII) · National Payment Systems Act, Cap. 59
- 12Uganda Legal Information Institute (ULII) · National Payment Systems Regulations 2021 and amendment history
- 13Uganda Legal Information Institute (ULII) · Data Protection and Privacy Act 2019
- 14Uganda Legal Information Institute (ULII) · Data Protection and Privacy Regulations 2021
- 15Personal Data Protection Office Uganda · Current organisational compliance and breach guidance
- 16Financial Action Task Force · Uganda removed from increased monitoring, February 2024
- 17Bank of Uganda · National Payment Systems Oversight Framework 2025
- 26Ministry of Internal Affairs Uganda · Protection of Sovereignty Act 2026 (Act 7 of 2026), official publication page
- 27Ministry of Internal Affairs Uganda · Protection of Sovereignty Act 2026 (Act 7 of 2026), enacted Act PDF
Direct answers
Uganda KYC, KYB and AML questions
Who is Uganda's financial intelligence unit?+
The Financial Intelligence Authority is the national centre for receiving, analysing and disseminating financial intelligence and registers accountable persons.
What is Uganda's large-cash reporting threshold?+
FIA states that cash and monetary transactions exceeding 1,000 currency points, currently UGX 20,000,000, are reported using Form A.
How long must AML records be kept?+
FIA guidance states that accountable persons must keep required records for 10 years and keep them current and retrievable.
When is the annual AML compliance report due?+
Regulation 45 requires the prior calendar year's compliance report and internal AML/CFT policy to be submitted by 31 January.
Is Uganda on the FATF grey list?+
No. FATF removed Uganda from increased monitoring on 23 February 2024. Firms should still apply their normal risk-based country controls and monitor current FATF statements.
Does the Protection of Sovereignty Act 2026 source-of-funds control apply to every Ugandan institution or cross-border transfer?+
No. Section 25 applies to a supervised institution, defined as a person licensed under an Act of Parliament to facilitate cross-border money transfers, when paying or transferring funds to an agent of a foreigner. In that scoped case, the institution must obtain the prescribed declaration evidence before payout and report the relevant transfers monthly to its regulator under the applicable regulations.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.9
Operational guidance, not legal advice. Requirements vary by licence, activity and supervisor. Confirm the current consolidated laws, FIA directives, Bank of Uganda conditions and sector-specific rules before implementation.