Checklist de conformité KYC, KYB et AML
Kenya KYC, KYB & AML
A practical implementation checklist for reporting institutions working under Kenya's anti-money laundering, counter-terrorist financing and counter-proliferation financing framework.
- Revue le
- 14 July 2026
- Version
- 1.0
- domaines de contrôle
- 7
- contrôles d’implémentation
- 45
Réponse directe
Que couvre la checklist de conformité pour Kenya ?
La checklist pour Kenya traduit les principales règles KYC, KYB et AML en 7 domaines de contrôle et 45 contrôles d’implémentation, avec les autorités, obligations de déclaration et preuves à conserver.
Faits réglementaires clés
- Primary FIU / AML supervisor
- Financial Reporting Centre
- Core rules
- POCAMLA and 2023 Regulations
- Record retention
- Minimum 7 years
- Suspicion reporting
- Within 2 days after suspicion arises
Détail d’implémentation
Exigences et actions de conformité pour Kenya
Ouvrez chaque domaine pour consulter l’exigence, l’action recommandée, les preuves à conserver et la source primaire utilisée.
01Applicability and governanceEstablish whether the organization is a reporting institution and make accountability visible.7 éléments+
Confirm reporting-institution status
- Action d’implémentation
- Determine whether the business is a financial institution, designated non-financial business or profession, or virtual asset service provider under section 2 of POCAMLA. Apply activity-specific limits in section 48 where relevant and identify the FRC and any First Schedule sector supervisor.
- Preuves à conserver
- Documented applicability and sector-overlay assessment
- Source primaire
- POCAMLA, ss.2 and 48; First Schedule
Confirm the competent supervisor
- Action d’implémentation
- Identify the sector supervisor or self-regulatory body and the FRC obligations that apply to the institution.
- Preuves à conserver
- Regulatory obligations register
- Source primaire
- FRC compliance guidance
Register with the FRC
- Action d’implémentation
- Complete FRC registration, keep particulars current and notify changes to registration information within 90 days.
- Preuves à conserver
- Registration confirmation, change log and profile owner
- Source primaire
- POCAMLR 2023; FRC compliance guidance
Appoint accountable AML leadership
- Action d’implémentation
- Appoint an MLRO at management level with the necessary competence, authority and independence. Notify both the FRC and the supervisory body of appointment or removal within 14 days. An internal auditor or chief executive may not serve as MLRO, except that a chief executive may do so for a sole proprietorship.
- Preuves à conserver
- Appointment, role description and dual notifications
- Source primaire
- POCAMLR 2023, reg. 12
Plan VASP transition where applicable
- Action d’implémentation
- Existing virtual asset service providers should map the VASP Act 2025 licensing transition through 4 November 2026 and distinguish enacted requirements from draft 2026 regulations.
- Preuves à conserver
- VASP transition plan and legal-status register
- Source primaire
- Virtual Asset Service Providers Act 2025
Approve a risk-based AML/CFT/CPF program
- Action d’implémentation
- Maintain policies, customer-risk methodology, controls, training, testing and governance proportionate to the institution's risks.
- Preuves à conserver
- Board-approved program and risk assessment
- Source primaire
- POCAMLA and POCAMLR 2023
Conduct the mandatory institution-wide risk assessment
- Action d’implémentation
- Assess ML, TF and PF risks across customers, countries and geographies, products, services, transactions and delivery channels. Keep it current, update the program at least every two years, obtain board approval for controls and assess risk before new products, practices, delivery mechanisms or technologies.
- Preuves à conserver
- Current institutional assessment, board approval and new-product reviews
- Source primaire
- POCAMLR 2023, regs. 7-8
02KYC for natural personsIdentify the customer, verify identity from reliable independent sources and understand why the relationship exists.6 éléments+
Collect core identity particulars
- Action d’implémentation
- Capture full legal name, date and place of birth, nationality, contact details, residential address, occupation and identity-document details appropriate to the customer.
- Preuves à conserver
- Completed customer profile
- Source primaire
- POCAMLA, s.45; POCAMLR 2023, regs. 14-15
Verify identity independently
- Action d’implémentation
- Verify the customer using reliable, independent source documents, data or information such as a valid national identity card or passport.
- Preuves à conserver
- Verified document copy and verification result
- Source primaire
- POCAMLA, s.45; POCAMLR 2023, regs. 14-15
Verify authority to act
- Action d’implémentation
- When another person acts for the customer, identify and verify that person and confirm their authority.
- Preuves à conserver
- Authority instrument and agent KYC
- Source primaire
- POCAMLA, s.45(3); POCAMLR 2023, reg. 23
Understand purpose and intended nature
- Action d’implémentation
- Record the expected use, products, transaction profile, counterparties and reason for the relationship.
- Preuves à conserver
- Purpose and expected-activity statement
- Source primaire
- POCAMLR 2023, reg. 14(2)(c)
Establish financial profile
- Action d’implémentation
- Collect information proportionate to risk on occupation, income, source of funds and, where needed, source of wealth.
- Preuves à conserver
- Financial profile and supporting evidence
- Source primaire
- POCAMLR 2023, regs. 14 and 26
Resolve failed verification
- Action d’implémentation
- If required CDD cannot be completed, do not open the account, establish the relationship or execute the transaction; terminate an existing relationship where applicable; and file an STR. If completing CDD would tip off the customer, stop CDD and file an STR.
- Preuves à conserver
- Decline or exit decision and STR record
- Source primaire
- POCAMLR 2023, reg. 25
03KYB for legal persons and arrangementsVerify the entity, understand its ownership and control, and identify the natural persons behind it.7 éléments+
Verify legal existence
- Action d’implémentation
- Obtain the registered name, incorporation or registration evidence, legal form, registration number and governing documents.
- Preuves à conserver
- Registry extract and certified incorporation documents
- Source primaire
- POCAMLR 2023, reg. 16(1)(a)-(b)
Verify addresses and activity
- Action d’implémentation
- Confirm the registered office, principal place of business, business activity and operating footprint.
- Preuves à conserver
- Address evidence and business profile
- Source primaire
- POCAMLR 2023, reg. 16(1)(c)
Verify authority and signatories
- Action d’implémentation
- Obtain the board resolution or equivalent authority and identify and verify authorized signatories.
- Preuves à conserver
- Resolution, mandate and signatory KYC
- Source primaire
- POCAMLA, s.45(3); POCAMLR 2023, regs. 16(1)(d) and 23
Identify managers, controllers and owners
- Action d’implémentation
- Collect the identity particulars of natural persons managing, controlling or owning the entity.
- Preuves à conserver
- Directors and ownership register
- Source primaire
- POCAMLR 2023, reg. 16(1)(e)
Identify and verify beneficial owners
- Action d’implémentation
- Obtain and validate company BO information, including relevant CR12 or BOF1 evidence. Do not treat registry evidence or a 10% threshold as conclusive for AML: identify controlling ownership, control by other means, or only after reasonable measures the senior managing official.
- Preuves à conserver
- Ownership chart, BO declaration, registry evidence and verified BO KYC
- Source primaire
- POCAMLR 2023, regs. 14(2)(b), 16(2) and 22
Obtain financial information
- Action d’implémentation
- Collect audited financial statements for the last full year for corporate bodies, subject to the regulation's treatment of newly formed entities; apply the relevant rule for sole traders.
- Preuves à conserver
- Financial statements or documented exception
- Source primaire
- POCAMLR 2023, reg. 16(1)(f)-(g)
Recommended: screen connected persons
- Action d’implémentation
- As an implementation control, screen the entity, beneficial owners, directors, controllers and authorized signatories in line with the institution's documented risk-based program and any sector rule.
- Preuves à conserver
- Screening results and disposition log
- Source primaire
- Recommended risk-based control; confirm sector rule
04Risk assessment and screeningUse documented risk factors to determine the level of due diligence and monitoring.6 éléments+
Recommended: document customer risk rating
- Action d’implémentation
- Assess customer, geography, product, service, delivery channel, transaction and ownership risks and retain the methodology, rationale and approval required by the institution's program or sector rule.
- Preuves à conserver
- Risk score, rationale and approver
- Source primaire
- Risk-based obligations; confirm sector methodology
Apply targeted financial sanctions
- Action d’implémentation
- Screen customers, BOs, controllers, agents and transaction parties against current UN and Kenya Domestic Lists at onboarding, on list or customer changes, ongoing and before relevant transactions. On a match, without delay or notice freeze all directly, indirectly, wholly or jointly owned or controlled funds or other assets, including derived and directed assets. Do not make funds, assets, economic resources or services available. Within 24 hours report frozen assets, actions and attempts through the Committee Secretary at the FRC, file an STR where required and release nothing without authorization or valid delisting.
- Preuves à conserver
- Screening, freeze, prohibition, reporting and release audit trail
- Source primaire
- TFS Regulations 2024, regs. 6-9 and 15; PF Regulations, regs. 6-8; FRC TFS Guidance 2025
Apply the correct PEP treatment
- Action d’implémentation
- Identify foreign, domestic and international-organization PEPs, including relevant family and close associates. For foreign PEPs, obtain senior approval, establish source of wealth and funds and enhance monitoring. Apply the same measures to domestic and international-organization PEPs where higher risk.
- Preuves à conserver
- PEP result, approval and source analysis
- Source primaire
- POCAMLR 2023, reg. 26
Use adverse information proportionately
- Action d’implémentation
- Review reliable public information where relevant to the risk assessment and record why information is material or not material.
- Preuves à conserver
- Adverse-information review and decision
- Source primaire
- Risk-based control
Check higher-risk jurisdictions
- Action d’implémentation
- Use current FATF and local guidance as an input to risk, without applying automatic blanket rejection solely because a jurisdiction is under increased monitoring.
- Preuves à conserver
- Geographic-risk rationale
- Source primaire
- FATF Kenya country profile
Approve or decline with rationale
- Action d’implémentation
- Record the outcome, conditions, review frequency and person authorized to approve the relationship.
- Preuves à conserver
- Customer acceptance decision
- Source primaire
- Institution risk-based program
05Enhanced due diligenceApply additional controls when higher money-laundering, terrorist-financing or proliferation-financing risk is identified.5 éléments+
Collect further identity information
- Action d’implémentation
- Obtain information beyond standard CDD that helps establish identity and risk.
- Preuves à conserver
- EDD information pack
- Source primaire
- POCAMLR 2023, reg. 20
Apply extra verification
- Action d’implémentation
- Use additional reliable sources or corroboration to verify supplied documents and claims.
- Preuves à conserver
- Independent corroboration record
- Source primaire
- POCAMLR 2023, reg. 20
Obtain senior-management approval where required
- Action d’implémentation
- Require senior approval when the applicable high-risk or PEP rule requires it and document any conditions.
- Preuves à conserver
- Approval and conditions
- Source primaire
- POCAMLR 2023, regs. 20 and 26
Establish source of funds and, where applicable, wealth
- Action d’implémentation
- Understand and verify source of funds and establish source of wealth where the applicable PEP or sector rule requires it or where justified by the documented higher risk.
- Preuves à conserver
- Source evidence and plausibility analysis
- Source primaire
- POCAMLR 2023, regs. 20 and 26
Increase ongoing monitoring
- Action d’implémentation
- Set tighter review cycles, transaction scrutiny and escalation thresholds for high-risk relationships.
- Preuves à conserver
- EDD monitoring plan
- Source primaire
- POCAMLR 2023, reg. 20
06Ongoing due diligence and monitoringKeep customer knowledge current and compare actual activity with the expected profile.5 éléments+
Monitor transactions and behavior
- Action d’implémentation
- Scrutinize transactions throughout the relationship for consistency with the customer, business, risk profile and source of funds.
- Preuves à conserver
- Monitoring rules, alerts and case outcomes
- Source primaire
- POCAMLR 2023, regs. 34-35
Refresh customer information
- Action d’implémentation
- Update CDD based on risk, material changes, trigger events and the adequacy of previously collected data.
- Preuves à conserver
- Review schedule and refreshed file
- Source primaire
- POCAMLR 2023, reg. 14(6)
Rescreen relevant parties
- Action d’implémentation
- Rescreen customers and connected persons when lists or risk profiles change and at a frequency aligned to risk.
- Preuves à conserver
- Rescreening history
- Source primaire
- Institution risk-based program
Review complex or unusual activity
- Action d’implémentation
- Examine the background and purpose of complex, unusually large or unusual-pattern transactions and retain the analysis.
- Preuves à conserver
- Investigation notes and supporting evidence
- Source primaire
- POCAMLA, s.44(1), (4)-(5); POCAMLR 2023, regs. 34-35
Control relationship changes
- Action d’implémentation
- Trigger reassessment for ownership, directors, address, activity, products, geography or transaction-profile changes.
- Preuves à conserver
- Event-driven review log
- Source primaire
- Ongoing CDD obligation
07Reporting, records and assuranceEscalate suspicion promptly, retain evidence and test whether the program works.9 éléments+
Escalate suspicious activity internally
- Action d’implémentation
- Give staff a documented route to escalate unusual or suspicious activity to the MLRO without alerting the customer.
- Preuves à conserver
- Internal escalation procedure and training
- Source primaire
- POCAMLA and POCAMLR 2023
Report suspicion to the FRC
- Action d’implémentation
- Submit suspicious transactions or activities, including attempts and available supporting information, within two days after the suspicion arose. Do not substitute a working-day interpretation.
- Preuves à conserver
- Filed report reference and decision timeline
- Source primaire
- POCAMLA, s.44(2)-(3); POCAMLR 2023, reg. 38
File applicable cash transaction reports
- Action d’implémentation
- Report cash transactions equivalent to or above USD 15,000 under regulation 40, ordinarily by Friday or the end of the reporting week, or immediately where circumstances require.
- Preuves à conserver
- CTR rules, filed reports and reconciliation
- Source primaire
- POCAMLR 2023, reg. 40
Complete annual regulatory reporting
- Action d’implémentation
- Submit the annual compliance report for the preceding calendar year and the FRC-requested list of customers from higher-risk countries by 31 January.
- Preuves à conserver
- Submitted reports and approval record
- Source primaire
- POCAMLR 2023, reg. 44; FRC compliance guidance
Prevent tipping off
- Action d’implémentation
- Restrict knowledge of reports and investigations and avoid disclosures that could prejudice the process.
- Preuves à conserver
- Access controls and communications guidance
- Source primaire
- POCAMLA reporting framework
Retain CDD and transaction records
- Action d’implémentation
- Retain CDD, account, transaction, correspondence and written-analysis records for at least seven years after the transaction, account closure or relationship termination, and longer where the FRC requires this in writing.
- Preuves à conserver
- Retention schedule and retrieval test
- Source primaire
- POCAMLA, s.46; POCAMLR 2023, reg. 42
Make records swiftly available
- Action d’implémentation
- Ensure customer and transaction records can be supplied promptly to competent authorities on appropriate authority.
- Preuves à conserver
- Retrieval procedure and audit trail
- Source primaire
- POCAMLA, s.46; POCAMLR 2023, reg. 42
Respect privileged-sector reporting rules
- Action d’implémentation
- For advocates, notaries and other independent legal professionals, first determine whether the activity falls within section 48. Suspicion outside the privilege exemption remains reportable and may be submitted through the LSK. Reporting is not required for information protected by professional secrecy or privilege while ascertaining a legal position or representing a client in judicial, administrative, arbitration or mediation proceedings. Document the assessment without improper disclosure.
- Preuves à conserver
- Activity-scope, privilege and reporting-route assessment
- Source primaire
- POCAMLA, ss.18, 44(3)-(3C) and 48; LSK guidance
Train and independently test
- Action d’implémentation
- Train relevant personnel, conduct the mandatory independent audit and track remediation to closure.
- Preuves à conserver
- Training register, audit report and action plan
- Source primaire
- POCAMLR 2023, regs. 11(d) and 43

7 domaines de contrôle et 45 vérifications d'implémentation avec sources réglementaires directes.
Téléchargez la checklist KYC, KYB et AML pour Kenya
Partagez vos coordonnées professionnelles pour accéder immédiatement à la checklist d'implémentation sourcée pour Kenya. Date de revue réglementaire : 14 July 2026.
Recevez le PDF immédiatement
Envoyez vos coordonnées pour démarrer automatiquement le téléchargement
Revue et sourcée
Version 1.0, revue le 14 July 2026
Approuvé par des équipes conformité de premier plan
Registre des sources primaires
11 sources utilisées pour cette checklist
Utilisez ces liens pour vérifier la législation, les lignes directrices, les procédures de déclaration et les statuts internationaux.
- POCAMLA, latest available versionKenya Law
- POCAMLA Regulations, 2023Kenya Law
- Compliance obligationsFinancial Reporting Centre
- Due diligence guidance for DNFBPs, March 2025Financial Reporting Centre
- Prevention of Terrorism TFS Regulations, 2024Kenya Law
- Prevention of Proliferation Financing RegulationsKenya Law
- Targeted financial sanctions guidance, July 2025Financial Reporting Centre
- Virtual Asset Service Providers Act, 2025Kenya Law
- Companies Beneficial Ownership Information RegulationsKenya Law
- FATF jurisdictions under increased monitoring, 19 June 2026FATF
- Unlocking Business Trust with KYB in KenyaVOVE ID - contextual reading
Réponses directes
Questions KYC, KYB et AML pour Kenya
What are the main KYC requirements in Kenya?+
A reporting institution should identify and verify the customer from reliable independent sources, identify and reasonably verify the beneficial owner, understand the purpose and intended nature of the relationship, and conduct ongoing due diligence. The exact data and evidence depend on customer type and risk.
What documents are commonly collected for KYB in Kenya?+
The 2023 Regulations address evidence of registration or incorporation, governing documents, registered and principal business addresses, transaction authority, details of natural persons who manage, control or own the entity, beneficial-owner information and financial statements, subject to the applicable circumstances and exceptions.
How long must AML records be kept in Kenya?+
The 2023 Regulations require reporting institutions to retain transaction records and CDD-related records for a minimum of seven years from completion of the transaction or termination of the account or business relationship.
When must suspicious activity be reported in Kenya?+
Section 44(2)-(3) of POCAMLA and regulation 38 of the 2023 Regulations require suspicious transactions or activities, including attempted transactions, to be reported to the Financial Reporting Centre within two days after the suspicion arose. The legislation does not describe these as working days, and supporting information and directly relevant documentation should accompany the report.
Does Kenya's FATF monitoring status require rejecting Kenyan customers?+
No. Kenya remained under increased monitoring as of 19 June 2026, but FATF does not call for automatic enhanced due diligence or wholesale de-risking solely because a jurisdiction is listed. Apply a proportionate risk-based approach and current Kenyan high-risk-country requirements.
Méthode de recherche et de revue
VOVE ID Compliance Research cartographie le périmètre réglementaire, traduit les obligations en contrôles opérationnels, relie les affirmations importantes aux sources et date chaque revue.
VOVE ID Compliance Research · Revue le 14 July 2026 · Version 1.0
This is a general Kenya baseline, not legal advice or a complete sector checklist. Requirements differ by institution type, supervisor, product, customer and risk. Apply the relevant CBK, CMA, IRA, SASRA, LSK, VASP or other sector overlay and confirm current law and regulator guidance before implementation.