Checklist de conformité KYC, KYB et AML
Congo-Kinshasa KYC, KYB & AML
A source-backed 2026 implementation dataset for customer and business verification in the Democratic Republic of the Congo. It incorporates Law No. 22/068, BCC Instruction No. 15 modification No. 3, the statutory beneficial-owner regime and its pending central register, CENAREF reporting, CONASAFIC sanctions procedures, payment and transfer controls and the Digital Code's personal-data rules.
- Revue le
- 16 July 2026
- Version
- 1.0
- domaines de contrôle
- 11
- contrôles d’implémentation
- 50
Réponse directe
Que couvre la checklist de conformité pour Congo-Kinshasa ?
La checklist pour Congo-Kinshasa traduit les principales règles KYC, KYB et AML en 11 domaines de contrôle et 50 contrôles d’implémentation, avec les autorités, obligations de déclaration et preuves à conserver.
Faits réglementaires clés
- Primary AML/CFT/CPF law
- Law No. 22/068 of 27 December 2022
- Financial intelligence unit
- Cellule nationale des renseignements financiers (CENAREF)
- STR timing
- Without delay once knowledge, suspicion or reasonable grounds exist; attempted transactions are included
- STR method
- Written, digital, electronic or telephone submission to CENAREF; telephone reports require prompt written confirmation
- Core AML retention
- 10 years from relationship end or transaction execution, by record class; specified intermediary wire data at least 5 years
- Beneficial-owner test
- More than 25% direct or indirect ownership or voting rights, other control, then the statutory management or legal-representative fallback
- Central BO register
- Required by Law No. 22/068 but the implementing Justice Ministry order was still a draft in April 2026
- BCC occasional CDD trigger
- Above USD 15,000 for the transactions and institutions covered by Instruction No. 15 modification No. 3, including linked transactions
- Cash and bearer instruments
- USD 10,000 equivalent statutory restriction, subject to stated exceptions and BCC derogations
- Cross-border cash declaration
- USD 10,000 equivalent or more on entry to or exit from the DRC
- Targeted sanctions
- Use CONASAFIC/Sentinelle and current UN and national lists; freeze without delay and without prior notice
- FATF status
- Substantially completed action plan in June 2026; still under increased monitoring pending on-site assessment
Détail d’implémentation
Exigences et actions de conformité pour Congo-Kinshasa
Ouvrez chaque domaine pour consulter l’exigence, l’action recommandée, les preuves à conserver et la source primaire utilisée.
01Scope, authorities and regulated activitiesBegin with the legal entity, activity and supervisor perimeter. The 2022 statute is broad; BCC instructions and other sector instruments apply only within their stated scopes.4 éléments+
Law No. 22/068 applies broadly and identifies financial institutions and specified non-financial businesses and professions, including casinos, real-estate agents, precious-metals and stones dealers, accountants, lawyers, notaries and bailiffs.
- Action d’implémentation
- Map every entity, product, profession and customer-facing activity to the statutory reporting-person category and competent supervisor before configuring controls.
- Preuves à conserver
- Signed perimeter memorandum, entity-product matrix, licence records and supervisor map.
- Source primaire
- Law No. 22/068, arts. 2-3
CENAREF is the financial-intelligence unit and recipient of suspicious transaction reports. BCC supervises regulated financial intermediaries and issues operational AML/CFT/CPF instructions for its sectors.
- Action d’implémentation
- Assign authority contacts, reporting ownership, BCC reporting obligations and escalation coverage, with controlled credentials and alternates.
- Preuves à conserver
- Authority map, appointments, CENAREF procedure, BCC reporting calendar and access register.
- Source primaire
- Law No. 22/068, arts. 92-113; BCC Instruction No. 15 modification No. 3
Professional funds or value transfer and transport activity requires BCC approval, and payment, e-money, card and connected-service activity is subject to the applicable BCC licensing or authorisation perimeter.
- Action d’implémentation
- Do not launch regulated transfer, e-money, payment-instrument, aggregation or related infrastructure activity until BCC confirms the classification and grants every required approval.
- Preuves à conserver
- Legal classification, BCC approval, licensed-service map, agent register and conditions tracker.
- Source primaire
- Law No. 22/068, arts. 69-70; Law No. 22/069; BCC Instructions Nos. 24 and 42
The statute treats virtual-asset service providers as reporting persons, but statutory AML coverage is not itself evidence of a current VASP licence.
- Action d’implémentation
- Block any virtual-asset product launch until the competent authority confirms the licensing basis, permitted services and AML, custody, technology and reporting conditions in writing.
- Preuves à conserver
- Authority correspondence, legal opinion, licence or refusal, product restriction and control assessment.
- Source primaire
- Law No. 22/068, arts. 2-3 and 92
02Governance, risk assessment and control ownershipControls must follow documented ML, TF and proliferation-financing risk and be owned, resourced, tested and updated.4 éléments+
Reporting persons identify, assess, understand and mitigate their exposure to ML, TF and proliferation-financing risk, proportionate to their nature, size and transaction volume.
- Action d’implémentation
- Maintain enterprise, customer, product, geographic, transaction and delivery-channel assessments and link the results to acceptance, CDD, monitoring, EDD and sanctions rules.
- Preuves à conserver
- Risk methodology, assessment, data inputs, mitigation plan and governing-body approval.
- Source primaire
- Law No. 22/068, arts. 20-22; BCC Instruction No. 15 modification No. 3, arts. 6-8
A reporting person must maintain a risk-appropriate AML/CFT/CPF programme with compliance leadership, centralised information, independent audit, staff integrity checks, training, internal control and suspicious-reporting arrangements.
- Action d’implémentation
- Appoint accountable management and compliance owners, approve policies, protect independence and resources and test design and operating effectiveness.
- Preuves à conserver
- Appointments, charter, policies, training logs, monitoring plan, audit reports and remediation tracker.
- Source primaire
- Law No. 22/068, arts. 44-45; BCC Instruction No. 15 modification No. 3, arts. 75-87
New products, business practices, channels and technologies require risk assessment before launch and proportionate mitigation.
- Action d’implémentation
- Assess identity fraud, impersonation, cyber, privacy, sanctions and transaction risks before production and gate launch on accepted residual risk.
- Preuves à conserver
- Pre-launch assessment, threat model, vendor due diligence, tests and release approval.
- Source primaire
- Law No. 22/068, art. 22
Groups apply equivalent AML/CFT/CPF controls and information-sharing arrangements to branches and subsidiaries, subject to local-law conflicts; reliance on a third party does not transfer final responsibility.
- Action d’implémentation
- Set group minimums, document local-law gaps, obtain customer evidence immediately from relied-on parties and preserve audit and exit rights.
- Preuves à conserver
- Group standard, conflict analysis, reliance contract, retrieval test and remediation record.
- Source primaire
- Law No. 22/068, arts. 27-30; BCC Instruction No. 15 modification No. 3, arts. 26 and 46-47
03Natural-person CDD and failed verificationIdentity is verified from reliable independent evidence at every applicable trigger, with a controlled outcome when verification cannot be completed.4 éléments+
CDD applies before a relationship or qualifying occasional transaction, to linked operations, qualifying electronic transfers, whenever suspicion exists and whenever earlier identity information is doubtful. For institutions within BCC Instruction No. 15's scope, the listed occasional-transaction trigger is above USD 15,000.
- Action d’implémentation
- Configure relationship, aggregation, transfer, suspicion and refresh triggers; keep sector thresholds and exceptions in a governed register.
- Preuves à conserver
- CDD trigger matrix, threshold register, aggregation tests, workflow configuration and exception report.
- Source primaire
- Law No. 22/068, arts. 31-32; BCC Instruction No. 15 modification No. 3, art. 10
Identify and verify a natural person using current official photo identification and reliable independent sources; verify address and any representative's authority.
- Action d’implémentation
- Validate the identity document, authenticity, identity attributes, address and mandate before activation, subject only to a documented lawful low-risk deferral.
- Preuves à conserver
- Identity copy, authenticity result, source provenance, address evidence, mandate and completion timestamp.
- Source primaire
- Law No. 22/068, arts. 31 and 33; BCC Instruction No. 15 modification No. 3, arts. 10-16
Understand the purpose and intended nature of the relationship, expected activity, source of funds where appropriate and the customer's risk profile; anonymous, fictitious and pseudonymous accounts are prohibited.
- Action d’implémentation
- Capture expected products, flows, counterparties, countries and funding and compare later activity to the approved profile.
- Preuves à conserver
- Purpose statement, expected-activity baseline, source evidence, risk score and account-opening controls.
- Source primaire
- Law No. 22/068, arts. 26 and 47; BCC Instruction No. 15 modification No. 3, arts. 9 and 27-31
If identity or beneficial ownership cannot be established, do not execute or begin the relationship; for an existing relationship, end it where required and assess an STR. If further CDD would tip off a suspected customer, stop the verification and report without delay.
- Action d’implémentation
- Route failed, doubtful or overdue CDD to decline, restriction or exit with a confidential CENAREF-reporting decision.
- Preuves à conserver
- Failure reason, decline or restriction, exit record, STR decision and access log.
- Source primaire
- Law No. 22/068, arts. 36-38; BCC Instruction No. 15 modification No. 3, arts. 24 and 40
04KYB, commercial registry and beneficial ownershipLegal existence, authority and ultimate ownership or control are separate tests. The statutory central register is not a substitute for independent KYB.5 éléments+
For a legal person or legal arrangement, verify constitution and existence, understand purpose, activity, ownership and control and identify directors and representatives.
- Action d’implémentation
- Collect a current RCCM or other official registry extract, constitutional documents, tax and licence evidence, registered address, directors and signatory mandates; reconcile material discrepancies.
- Preuves à conserver
- Registry extract, statutes, tax evidence, licence, management list, mandate and discrepancy log.
- Source primaire
- Law No. 22/068, art. 34; BCC Instruction No. 15 modification No. 3, arts. 17-22
Identify the natural person who directly or indirectly owns more than 25% of capital or voting rights, then test control by other means and use the applicable statutory management or legal-representative fallback only if no natural person is otherwise identified.
- Action d’implémentation
- Trace every ownership layer, calculate direct and indirect interests, test factual and legal control and document any fallback.
- Preuves à conserver
- Ownership chart, percentage calculations, control analysis, source records and verified BO files.
- Source primaire
- Law No. 22/068, arts. 35 and 39
Specified persons must declare and update beneficial-owner identity through GUCE or the National Cooperatives Service. Reporting persons collect and retain accurate current BO information and transmit information to GUCE under the implementing mechanism.
- Action d’implémentation
- Maintain an internal BO register and change trigger, prepare the statutory data set and preserve proof of any filing accepted by the competent registry.
- Preuves à conserver
- Internal BO register, change log, filing package, registry receipt and reconciliation.
- Source primaire
- Law No. 22/068, arts. 39 and 46
The Justice Minister's order must establish the central BO register and its access, protection and retention mechanics. An official ITIE-RDC workshop on 9 April 2026 still described that order as a draft awaiting adoption and operationalisation.
- Action d’implémentation
- Do not invent a portal, form or deadline. Confirm the current order and GUCE workflow before automating central filing, while continuing statutory collection, verification and update controls.
- Preuves à conserver
- Dated legal check, authority correspondence, current order, filing procedure and implementation ticket.
- Source primaire
- Law No. 22/068, arts. 40-43; ITIE-RDC, 9 April 2026
Reporting persons and supervisors report discrepancies in registered BO information to GUCE; if the legal person does not regularise within one month after GUCE's request, GUCE informs CENAREF.
- Action d’implémentation
- Maintain a discrepancy workflow that separates customer remediation, registry notification and any independent suspicious-reporting decision.
- Preuves à conserver
- Discrepancy notice, customer evidence, GUCE correspondence, one-month timer and STR assessment.
- Source primaire
- Law No. 22/068, art. 42
05PEPs, enhanced due diligence and remote onboardingHigher-risk, politically exposed and non-face-to-face relationships require additional evidence, accountable approval and closer monitoring.5 éléments+
Determine whether a customer or beneficial owner is a domestic, foreign or international-organisation PEP and cover statutory family members and close associates. The statutory definition looks back 36 months, subject to continuing risk-based enhanced measures.
- Action d’implémentation
- Screen before activation and continuously, resolve matches using reliable role and relationship evidence and record any decision to cease PEP treatment.
- Preuves à conserver
- Screening result, match disposition, role evidence, relationship analysis and risk rationale.
- Source primaire
- Law No. 22/068, art. 3 definition 40 and arts. 53 and 56
A PEP relationship requires appropriate management approval, reasonable measures to establish source of wealth and source of funds and enhanced continuous monitoring.
- Action d’implémentation
- Collect and corroborate wealth and funds evidence, obtain approval before starting or maintaining the relationship and configure enhanced review.
- Preuves à conserver
- Source-of-wealth and source-of-funds file, approval, monitoring plan and review history.
- Source primaire
- Law No. 22/068, art. 56; BCC Instruction No. 15 modification No. 3, arts. 41 and 64
Financial intermediaries within Instruction No. 15's scope inform CENAREF of an identified PEP at onboarding even where no suspicious indicator exists.
- Action d’implémentation
- Keep this PEP notification separate from an STR, confirm CENAREF's current submission channel and preserve the acknowledgement.
- Preuves à conserver
- PEP notice, submission record, receipt and separate STR decision where applicable.
- Source primaire
- BCC Instruction No. 15 modification No. 3, art. 65
Complex, unusually large, unjustified or apparently non-economic activity requires enhanced examination. Instruction No. 15 requires enhanced review of cash or bearer activity at USD 10,000 equivalent or more for its covered institutions.
- Action d’implémentation
- Document origin and destination of funds, purpose, actors, corroboration and the final reporting decision in a confidential report.
- Preuves à conserver
- Enhanced-review report, transaction data, source evidence, decision and reviewer sign-off.
- Source primaire
- Law No. 22/068, arts. 54-55; BCC Instruction No. 15 modification No. 3, arts. 61-63
Remote onboarding remains subject to full identity, beneficial-owner, sanctions and PEP controls, with adapted safeguards such as document authentication and independent verification.
- Action d’implémentation
- Use risk-based document integrity, liveness or presence, device, fraud and manual-escalation controls and validate them before production.
- Preuves à conserver
- Remote-onboarding standard, vendor review, performance tests, fraud cases and exception log.
- Source primaire
- BCC Instruction No. 15 modification No. 3, arts. 23 and 25
06Ongoing monitoring, STRs and prohibited disclosureMonitoring must detect activity inconsistent with the known profile and route suspicion promptly and confidentially to CENAREF.5 éléments+
Conduct ongoing monitoring, keep customer and BO information current and review BCC-sector customer risk profiles at least semi-annually under Instruction No. 15.
- Action d’implémentation
- Compare activity to purpose, expected behaviour, business and source of funds; trigger refresh after material identity, ownership, activity or risk changes.
- Preuves à conserver
- Monitoring scenarios, alert decisions, profile review, change log and governance metrics.
- Source primaire
- Law No. 22/068, arts. 26 and 47; BCC Instruction No. 15 modification No. 3, arts. 27-31
Report without delay to CENAREF where there is knowledge, suspicion or reasonable grounds to suspect criminal proceeds or ML, TF or PF; attempted transactions and later information that changes an STR are included.
- Action d’implémentation
- Timestamp suspicion formation, submit immediately through the confirmed CENAREF route and send supplements without delay.
- Preuves à conserver
- Suspicion timestamp, STR, submission proof, case reference and supplemental reports.
- Source primaire
- Law No. 22/068, art. 92; BCC Instruction No. 15 modification No. 3, arts. 88-90
Unresolved uncertainty about an originator, beneficial owner, trust settlor or similar arrangement is independently reportable. A separate threshold report for qualifying cash or e-money funds transmissions depends on an implementing Finance Minister order.
- Action d’implémentation
- File on unresolved identity uncertainty and keep any automatic threshold report disabled until the current ministerial amount and procedure are verified.
- Preuves à conserver
- Identity-escalation decision, STR, controlled threshold register and authority confirmation.
- Source primaire
- Law No. 22/068, art. 92
An STR may be sent in writing, digitally, electronically or by telephone; a telephone report is confirmed in writing promptly. No authoritative public CENAREF self-service filing portal was verified at the review date.
- Action d’implémentation
- Confirm the current secure operational channel directly with CENAREF, maintain tested primary and contingency routes and preserve acknowledgements without delaying urgent reporting.
- Preuves à conserver
- CENAREF confirmation, channel test, controlled contact list, submission and receipt.
- Source primaire
- Law No. 22/068, art. 94; BCC Instruction No. 15 modification No. 3, arts. 93-94
Do not disclose an STR, its content or its outcome to the customer or unauthorised third parties. CENAREF may oppose execution for up to seven days; the public prosecutor may extend or seize for up to eight additional days.
- Action d’implémentation
- Restrict case access, use approved customer communications and implement holds, extensions, releases and seizures exactly as instructed.
- Preuves à conserver
- Access log, confidentiality script, hold timeline, CENAREF notice, judicial order and release record.
- Source primaire
- Law No. 22/068, arts. 93 and 96
07Cash, payments, wires and agentsCash restrictions, cross-border declarations, payment licensing and wire information are distinct controls and should not be collapsed into one threshold rule.5 éléments+
Transactions at USD 10,000 equivalent or more generally may not be settled in cash or bearer instruments, subject to statutory exceptions and BCC derogations. This is a payment restriction, not a universal automatic STR threshold.
- Action d’implémentation
- Enforce the cashless rule, document any lawful exception or Instruction No. 15 bis derogation and separately assess unusual or suspicious activity.
- Preuves à conserver
- Payment control, exception basis, BCC derogation, enhanced review and STR decision.
- Source primaire
- Law No. 22/068, art. 23; BCC Instruction No. 15 bis modification No. 4
A person entering or leaving the DRC declares cash or bearer negotiable instruments at USD 10,000 equivalent or more at the point of entry or exit.
- Action d’implémentation
- For relevant customer journeys and own-cash movements, provide the declaration requirement and retain customs evidence; do not treat the border rule as an account-monitoring report.
- Preuves à conserver
- Procedure, declaration copy, customs receipt and exception or seizure record.
- Source primaire
- Law No. 22/068, art. 25
Wire messages carry required originator and beneficiary data. Missing or inaccurate information must be obtained and verified; if it remains unavailable, do not execute and inform CENAREF where applicable.
- Action d’implémentation
- Validate required fields before release, preserve unique references and route incomplete transfers to repair, rejection and suspicious-reporting assessment.
- Preuves à conserver
- Field matrix, message sample, repair queue, rejection test and STR decision.
- Source primaire
- Law No. 22/068, arts. 57-61; BCC Instruction No. 15 modification No. 3, arts. 45 and 66-69
Instruction No. 15 article 67 provides narrowly framed online-payment verification relief only where no suspicion exists, funds move between qualifying named accounts and the transaction and rolling limits remain below USD 2,500 and USD 30,000 respectively.
- Action d’implémentation
- Apply the relief only after confirming the drafting and sector scope with BCC; configure both unit and rolling limits and full CDD on any exception or suspicion.
- Preuves à conserver
- BCC confirmation, eligibility rules, threshold tests, named-account evidence and exception log.
- Source primaire
- BCC Instruction No. 15 modification No. 3, art. 67
Funds or value transfer providers using agents must notify the competent authority of agents, include them in the AML programme, monitor them and retain relevant operational information for CENAREF.
- Action d’implémentation
- Maintain an approved agent register, due diligence, training, transaction oversight, audit rights and termination controls.
- Preuves à conserver
- Agent list, approval, contract, training, monitoring report and issue closure.
- Source primaire
- Law No. 22/068, arts. 69-70
08Sanctions, freezing and proliferation financingTargeted financial sanctions are implemented through current CONASAFIC, UN and national-list procedures and are operationally separate from suspicious reporting.4 éléments+
Screen current UN and national designations disseminated by CONASAFIC, including names, aliases, identifiers and ownership or control; subscribe a monitored address to CONASAFIC alerts and use the Sentinelle platform.
- Action d’implémentation
- Automate list updates where reliable, test ingestion and matching, monitor alert delivery and preserve list-version evidence for every decision.
- Preuves à conserver
- List inventory, Sentinelle access, alert subscription, update log, test results and match file.
- Source primaire
- Decrees Nos. 24/24 and 24/25; CONASAFIC list-diffusion procedure
Freeze designated funds, other assets and economic resources without delay and without prior notice, prevent any direct or indirect availability or service and prohibit circumvention.
- Action d’implémentation
- Execute the freeze immediately, secure all affected products and benefits and do not wait for an STR decision or customer contact.
- Preuves à conserver
- Freeze timestamp, asset inventory, system blocks, decision record and no-notice control.
- Source primaire
- Law No. 22/068, arts. 152-163; Decree No. 24/24
Notify CENAREF and CONASAFIC without delay and report the measures and attempted transactions under the current procedure; follow authority instructions for false positives, exemptions, delisting and release.
- Action d’implémentation
- Use a controlled notification and case-management matrix and release property only on a valid authority instruction.
- Preuves à conserver
- Notification, receipt, authority correspondence, false-positive analysis and release instruction.
- Source primaire
- Law No. 22/068, arts. 162-163; CONASAFIC guidelines and Sentinelle
A sanctions match, freeze and STR are separate decisions that may arise from the same facts.
- Action d’implémentation
- Link but do not merge the cases; record legal basis, decision owner, timing, confidentiality and communications for each track.
- Preuves à conserver
- Linked case records, freeze action, separate STR assessment, access controls and audit trail.
- Source primaire
- Law No. 22/068, arts. 92 and 152-163
09Records, retention and authority accessRecords must support full reconstruction and prompt authorised access while protecting confidential reporting and personal data.4 éléments+
Keep customer and beneficial-owner identity, account books, business correspondence and analysis for 10 years from account closure or relationship end, and transaction and enhanced-examination records for 10 years after execution.
- Action d’implémentation
- Map every AML record class to the correct event, preserve legal holds and prevent premature deletion.
- Preuves à conserver
- Retention schedule, lifecycle configuration, legal-hold procedure and deletion test.
- Source primaire
- Law No. 22/068, art. 48; BCC Instruction No. 15 modification No. 3, art. 48
An intermediary institution keeps received wire data for at least five years where technical constraints prevent it remaining attached to the corresponding domestic transfer.
- Action d’implémentation
- Preserve detached message data with a reliable link to the transaction and test retrieval and reconstruction.
- Preuves à conserver
- Wire archive, linkage key, retention configuration and reconstruction test.
- Source primaire
- Law No. 22/068, art. 48; BCC Instruction No. 15 modification No. 3, art. 49
Provide required CDD and transaction records without delay to authorised judicial, investigative, supervisory and CENAREF authorities; professional secrecy cannot defeat a lawful request.
- Action d’implémentation
- Authenticate each request, apply least-privilege disclosure, log the response and maintain rapid searchable retrieval.
- Preuves à conserver
- Authority-request register, authentication, response package, access log and retrieval test.
- Source primaire
- Law No. 22/068, arts. 49 and 97
STR and sanctions files require restricted access and tamper-evident auditability throughout retention.
- Action d’implémentation
- Separate confidential-case roles from ordinary customer service, preserve immutable event history and test unauthorised-access prevention.
- Preuves à conserver
- Access matrix, immutable log, access review, incident record and audit result.
- Source primaire
- Law No. 22/068, arts. 93-105
10Privacy, biometrics and international transfersAML necessity does not displace the Digital Code. Identity and biometric processing require purpose, authority formalities, security, data-subject rights and transfer controls.6 éléments+
Personal-data processing is generally subject to prior APD declaration; biometric, national-identifier, criminal, medical and foreign-transfer processing requires prior authorisation unless a specific exemption applies.
- Action d’implémentation
- Map every identity, biometric, screening, transaction and investigation purpose and determine the declaration, authorisation or documented exemption before production.
- Preuves à conserver
- Processing inventory, legal-basis register, APD filing or decision, exemption analysis and privacy notice.
- Source primaire
- Ordinance-Law No. 23/010, arts. 183-191
Process data lawfully, fairly, transparently and for specified purposes; minimise it, keep it accurate, limit storage to necessity and apply appropriate technical and organisational security.
- Action d’implémentation
- Publish clear notices, define purpose and retention, restrict collection and access and implement backup, recovery, encryption and monitoring proportionate to risk.
- Preuves à conserver
- Notice, data map, minimisation review, retention rules, security design and test results.
- Source primaire
- Ordinance-Law No. 23/010, arts. 192-195 and 220-224
Appoint an independent DPO and maintain processing records where required. The SME and startup exception does not apply to risky, non-occasional, special-category or criminal-data processing.
- Action d’implémentation
- Document whether the exception is available; for KYC and biometric operations, appoint the DPO, publish contact details and maintain controller and processor registers.
- Preuves à conserver
- Applicability analysis, DPO appointment, contact notice, registers and management reporting.
- Source primaire
- Ordinance-Law No. 23/010, arts. 222 and 225-231
Notify the APD and affected person without delay of a personal-data breach, subject to the statutory exceptions for individual communication; processors alert controllers without delay.
- Action d’implémentation
- Maintain a tested incident plan, assess every security event promptly and document authority and individual notifications or the legal reason not to notify an individual.
- Preuves à conserver
- Incident log, risk assessment, APD notice, individual communication and processor alert.
- Source primaire
- Ordinance-Law No. 23/010, art. 244
High-risk processing, including large-scale biometric identification and significant automated profiling, requires a data-protection impact assessment and may require prior APD consultation.
- Action d’implémentation
- Complete a DPIA before launch, involve the DPO and consult the APD if residual high risk remains.
- Preuves à conserver
- DPIA, DPO advice, mitigation tests, APD consultation and launch decision.
- Source primaire
- Ordinance-Law No. 23/010, arts. 245-246
A foreign transfer requires prior APD authorisation and adequate protection or a documented statutory derogation. The APD was created by statute, but a fully operational public filing route was not verified at the review date.
- Action d’implémentation
- Map hosting and support locations, document the transfer basis and safeguards and obtain written current filing instructions before transferring KYC data abroad.
- Preuves à conserver
- Transfer map, adequacy or derogation analysis, APD authorisation or correspondence, contract and access controls.
- Source primaire
- Ordinance-Law No. 23/010, arts. 187 and 201-202 and 262-263
11Implementation and audit evidence packA defensible programme links every rule to configuration, ownership, testing, dated source evidence and a controlled residual-risk decision.4 éléments+
Run a documented pre-launch regulatory gate covering perimeter, licensing, CDD, BO, PEP, sanctions, monitoring, CENAREF reporting, records, privacy and payments.
- Action d’implémentation
- Block production until accountable owners approve control design and every material gap has a closed remediation or explicit lawful launch condition.
- Preuves à conserver
- Launch checklist, approvals, test pack, gap register and release decision.
- Source primaire
- Law No. 22/068; applicable BCC, CONASAFIC and Digital Code instruments
Third-party verification, agents, cloud providers and outsourcing do not transfer the reporting entity's legal responsibility.
- Action d’implémentation
- Assess each provider, contract immediate evidence access and audit rights, test retrieval, monitor performance and maintain an exit plan.
- Preuves à conserver
- Due-diligence file, contract, access test, monitoring report, issues and exit plan.
- Source primaire
- Law No. 22/068, arts. 29-30; BCC Instruction No. 15 modification No. 3, art. 26; Digital Code, arts. 224 and 229
Track official changes from the Gazette, CENAREF, BCC, GUCE, CONASAFIC, the Digital Ministry or APD, FATF and GABAC, especially the BO-register order, APD operating decree and threshold or filing orders.
- Action d’implémentation
- Assign source owners, review official updates on a controlled schedule and assess each change against policies, products and existing customers.
- Preuves à conserver
- Legal inventory, dated monitoring log, impact assessment, implementation ticket and approval.
- Source primaire
- Official DRC authority and FATF publications
Independently test onboarding, BO, PEP, sanctions, payments, monitoring, STR, privacy and retention controls and preserve why each rule is configured as it is.
- Action d’implémentation
- Run risk-based monitoring and independent assurance, report material findings to governance and verify remediation to closure.
- Preuves à conserver
- Control-to-law map, monitoring plan, audit report, issue register, closure evidence and release history.
- Source primaire
- Law No. 22/068, arts. 44-45; BCC Instruction No. 15 modification No. 3

11 domaines de contrôle et 50 vérifications d'implémentation avec sources réglementaires directes.
Téléchargez la checklist KYC, KYB et AML pour Congo-Kinshasa
Partagez vos coordonnées professionnelles pour accéder immédiatement à la checklist d'implémentation sourcée pour Congo-Kinshasa. Date de revue réglementaire : 16 July 2026.
Recevez le PDF immédiatement
Envoyez vos coordonnées pour démarrer automatiquement le téléchargement
Revue et sourcée
Version 1.0, revue le 16 July 2026
Approuvé par des équipes conformité de premier plan
Registre des sources primaires
25 sources utilisées pour cette checklist
Utilisez ces liens pour vérifier la législation, les lignes directrices, les procédures de déclaration et les statuts internationaux.
- Law No. 22/068 of 27 December 2022 on AML/CFT/CPFRepublic of the DRC / ANAPI · Primary legislation
- Official company-creation and legal-document portalANAPI · Official government portal
- Banking regulatory register including Instruction No. 15 modification No. 3Banque Centrale du Congo · Official sector register
- Instruction No. 15 modification No. 3 on AML/CFT/CPF standardsBanque Centrale du Congo · Primary sector instruction
- Instruction No. 15 annexes on BCC reportingBanque Centrale du Congo · Primary sector reporting annex
- Instruction No. 15 bis modification No. 4 on cash and bearer derogationsBanque Centrale du Congo · Primary sector instruction
- Instruction No. 15 bis modification No. 4 PDFBanque Centrale du Congo · Primary sector instruction
- Payment-systems regulatory registerBanque Centrale du Congo · Official sector register
- Instruction No. 24 on e-money issuance and e-money institutionsBanque Centrale du Congo · Primary sector instruction
- Instruction No. 42 on card and electronic payment rulesBanque Centrale du Congo · Primary sector instruction
- BCC-authorised connected payment-service providersBanque Centrale du Congo · Official provider register
- Services attached to the Ministry of Finance, including CENAREFMinistry of Finance · Official authority directory
- CENAREF strategic activity report 2021-2023CENAREF · Official FIU report
- CONASAFIC official portalCONASAFIC / Ministry of Finance · Official sanctions portal
- CONASAFIC legal and procedure documentsCONASAFIC / Ministry of Finance · Official sanctions register
- Procedure for disseminating targeted-financial-sanctions listsCONASAFIC · Official sanctions procedure
- Sentinelle sanctions search, alert and compliance platformCONASAFIC · Official sanctions platform
- UN Security Council consolidated sanctions listUnited Nations · Official sanctions list
- Ordinance-Law No. 23/010 establishing the Digital CodeAutorite de Regulation du secteur de l'Electricite / Presidency of the DRC · Primary legislation
- Digital Code personal-data authority provisionsDroit-Numerique.cd · Legislation access and article index
- April 2026 workshop on the draft beneficial-owner-register orderITIE-RDC · Official implementation-status notice
- Jurisdictions under increased monitoring, 19 June 2026FATF · Official international status statement
- DRC mutual evaluation reportGABAC / FATF · Official historical assessment context
- Law No. 22/069 and current sanctions-framework documentsCONASAFIC · Official legislation and implementation register
- BCC regulatory publications and current contactsBanque Centrale du Congo · Official regulator portal
Réponses directes
Questions KYC, KYB et AML pour Congo-Kinshasa
What is the DRC's principal AML/CFT/CPF law?+
Law No. 22/068 of 27 December 2022 is the principal current statute. It replaced the 2004 AML/CFT law and covers money laundering, terrorist financing and proliferation financing.
Who receives suspicious transaction reports?+
CENAREF, the Cellule nationale des renseignements financiers, receives and analyses STRs. BCC receives separate supervisory reports from financial intermediaries within its scope.
When must an STR be filed?+
Without delay once the reporting person knows, suspects or has reasonable grounds to suspect criminal proceeds or links to ML, TF or PF. Attempted transactions and later information changing the suspicion are included.
How is an STR submitted?+
The law permits written, digital, electronic or telephone transmission to CENAREF, with prompt written confirmation of a telephone report. A public self-service CENAREF portal was not verified, so obtain the current secure operational channel directly from CENAREF.
Is every transaction over a fixed amount reported to CENAREF?+
No universal automatic transaction report should be inferred. Law No. 22/068 refers to a separate Finance Minister threshold for specified cash or e-money funds transmissions, but the current amount and procedure must be verified before automation.
What occasional CDD threshold applies to BCC-regulated institutions?+
BCC Instruction No. 15 modification No. 3 states a trigger above USD 15,000 for the transactions and institutions within its scope, including linked transactions. Suspicion and doubts about identity trigger CDD regardless of amount.
What beneficial-owner threshold applies?+
Law No. 22/068 uses more than 25% direct or indirect capital or voting rights, then control by other means and then the applicable statutory management or legal-representative fallback. Ownership percentage is not the only test.
Is the central beneficial-owner register operational?+
The law requires a GUCE-held register, but an official ITIE-RDC notice from 9 April 2026 described the establishing Justice Ministry order as a draft awaiting adoption and operationalisation. Confirm the current order and filing route before automating submission.
Can registry data replace independent KYB?+
No. Verify legal existence, authority, purpose, directors and every ownership or control layer using reliable evidence, and reconcile any registry discrepancy.
What happens when identity cannot be verified?+
Do not establish or execute the relationship or transaction, or end an existing relationship where required, and assess an STR without tipping off the customer. If further CDD itself would alert a suspected customer, stop and report without delay.
What rules apply to PEPs?+
Identify domestic, foreign and international-organisation PEPs, family and close associates; obtain appropriate approval; establish source of funds and wealth; and apply enhanced monitoring. BCC-covered institutions also notify CENAREF of identified PEPs under Instruction No. 15.
How long are AML records kept?+
Generally 10 years. Identity and relationship records run from closure or relationship end, while transaction and enhanced-review records run from execution. Specified detached intermediary wire information is retained at least five years.
What is the cash restriction?+
Transactions at USD 10,000 equivalent or more generally cannot be settled in cash or bearer instruments, subject to statutory exceptions and BCC derogations. That restriction is not itself a universal STR threshold.
When is a cross-border cash declaration required?+
A traveller entering or leaving the DRC declares cash or bearer negotiable instruments at USD 10,000 equivalent or more at the entry or exit point.
What happens on a sanctions match?+
Freeze covered funds, assets and economic resources without delay and without prior notice, prevent availability or services and notify CENAREF and CONASAFIC under the current procedure. Assess an STR separately.
Which sanctions lists should be screened?+
Use the current UN and national lists disseminated by CONASAFIC, subscribe to its secure alerts and use the Sentinelle platform. Preserve the exact list version and match decision.
Are virtual-asset services licensed?+
Law No. 22/068 places VASPs within the reporting perimeter, but this does not prove a current licensing route. Obtain written confirmation and any required approval before offering exchange, transfer, custody or related services.
Do biometrics and foreign cloud hosting require privacy approval?+
Yes. The Digital Code requires prior authorisation for biometric processing and contemplated foreign transfers unless a specific exception applies. Map purposes, security, DPIA and transfer safeguards and confirm the current APD filing process.
How quickly must a personal-data breach be notified?+
The Digital Code uses 'without delay' for controller notification to the APD and affected person and for a processor's alert to its controller, subject to statutory exceptions for individual communication.
Is the DRC on the FATF grey list?+
Yes, as of 16 July 2026. FATF determined in June 2026 that the DRC had substantially completed its action plan and warranted an on-site assessment, but it remained under increased monitoring pending that assessment.
Méthode de recherche et de revue
VOVE ID Compliance Research cartographie le périmètre réglementaire, traduit les obligations en contrôles opérationnels, relie les affirmations importantes aux sources et date chaque revue.
VOVE ID Compliance Research · Revue le 16 July 2026 · Version 1.0
This checklist is general regulatory information, not legal advice or a licence determination. It reflects sources reviewed on 16 July 2026. Confirm current gazetted law, sector rules, thresholds, filing mechanics and supervisor expectations with Congolese counsel and the competent authority before launch. The statutory beneficial-owner register and the APD's operating procedures were not confirmed as fully operational public filing routes at the review date. VOVE ID can support evidence collection, screening and audit trails, but the reporting entity remains responsible for risk decisions, customer acceptance, reports, freezes and regulatory compliance.