Checklist de conformité KYC, KYB et AML
Rwanda KYC, KYB & AML
A practical implementation checklist for reporting persons operating in Rwanda, with a focused payment and financial-services overlay. It translates the January 2025 AML/CFT/CPF law, current FIC rules, National Bank of Rwanda requirements, RDB beneficial-ownership filings and Rwanda's personal-data law into operational controls and reviewable evidence.
- Revue le
- 15 July 2026
- Version
- 1.0
- domaines de contrôle
- 7
- contrôles d’implémentation
- 43
Réponse directe
Que couvre la checklist de conformité pour Rwanda ?
La checklist pour Rwanda traduit les principales règles KYC, KYB et AML en 7 domaines de contrôle et 43 contrôles d’implémentation, avec les autorités, obligations de déclaration et preuves à conserver.
Faits réglementaires clés
- Financial intelligence unit
- Financial Intelligence Centre (FIC Rwanda)
- Current AML law
- Law No. 001/2025 of 22 January 2025
- Suspicion reporting
- Within 24 hours
- Threshold-report filing
- Within 2 working days
- Record retention
- At least 10 years
- FATF public list
- Not listed as of 19 June 2026
Détail d’implémentation
Exigences et actions de conformité pour Rwanda
Ouvrez chaque domaine pour consulter l’exigence, l’action recommandée, les preuves à conserver et la source primaire utilisée.
01Scope, registration and governanceConfirm reporting-person status, register with FIC and establish accountable, independently tested AML/CFT/CPF governance.6 éléments+
Map every reporting person and supervisor
- Action d’implémentation
- Document which entities and activities are reporting persons under Law No. 001/2025. Map FIC obligations and the competent sector supervisor, including the National Bank of Rwanda for licensed financial institutions and payment services, CMA for capital markets and the relevant authority for DNFBPs or other regulated activities.
- Preuves à conserver
- Entity-perimeter memo, licence inventory, supervisor matrix and named obligations owner
- Source primaire
- Law 001/2025; FIC mandate; applicable sector law
Register the reporting person with FIC
- Action d’implémentation
- Use the FIC system to register each reporting person. Under the operational rule, register a new reporting person within 30 days after receiving its incorporation certificate and notify FIC in writing of changes to registered particulars within seven working days.
- Preuves à conserver
- FIC registration, incorporation date, filing receipt, particulars register and change notifications
- Source primaire
- FIC Regulation 002/FIC/2023, arts. 3-4
Appoint and notify a managerial compliance officer
- Action d’implémentation
- Designate an AML/CFT/CPF compliance officer at managerial level with sufficient authority, independence, access and resources. Notify FIC of the appointment within three working days and maintain effective cover for absence or vacancy.
- Preuves à conserver
- Appointment, role profile, reporting line, FIC notification, access rights, deputy and resource assessment
- Source primaire
- FIC Regulation 002/FIC/2023, art. 5
Make the board and senior management accountable
- Action d’implémentation
- Require governing and senior-management bodies to approve the programme, enterprise risk assessment, customer-acceptance standard and material remediation; receive meaningful compliance and risk reporting; and ensure the compliance function can escalate without interference.
- Preuves à conserver
- Approved framework, committee terms, minutes, dashboards, decisions and remediation tracking
- Source primaire
- Law 001/2025; FIC Regulation 002/FIC/2023
Maintain complete internal controls
- Action d’implémentation
- Document risk assessment, customer acceptance, CDD, beneficial ownership, PEP, sanctions, transaction monitoring, wires, reporting, records, training, privacy, agents and outsourcing. Payment service providers must maintain comprehensive and effective AML/CFT policies, procedures and controls and may not invoke banking, professional or contractual secrecy to avoid reporting.
- Preuves à conserver
- Policy suite, regulatory mapping, approvals, version history, PSP control mapping and staff attestations
- Source primaire
- Law 001/2025; Payment Service Provider Regulation 2023, art. 46
Independently audit at least annually
- Action d’implémentation
- Maintain an independent audit function that evaluates compliance with AML/CFT/CPF policies, procedures, controls, CDD, monitoring, reporting and records. Conduct the audit at institution level at least annually and track findings to verified closure.
- Preuves à conserver
- Audit independence, annual plan, report, sampled controls, issue register, owners and closure proof
- Source primaire
- FIC Regulation 002/FIC/2023, art. 25
02Customer due diligence and remote onboardingIdentify customers, representatives and beneficial owners from reliable sources before service, with equivalent controls for remote channels.6 éléments+
Identify and verify every customer
- Action d’implémentation
- Identify permanent and occasional customers, whether natural persons, legal persons or legal arrangements, using reliable and independent documents, data or information. Verify any representative's authority and identity and prohibit anonymous or fictitious accounts.
- Preuves à conserver
- Identity record, verification response, representative authority, source provenance and quality review
- Source primaire
- AML Law 001/2025, arts. 12-13
Understand purpose and expected activity
- Action d’implémentation
- Record the purpose and intended nature of the relationship, occupation or business, products, expected volumes, counterparties, countries, channels and source of funds where required by risk. Use the profile as the monitoring baseline.
- Preuves à conserver
- Customer profile, expected-activity fields, source evidence, risk rationale and review triggers
- Source primaire
- Law 001/2025, art. 13; FIC Regulation 002/FIC/2023, arts. 6 and 9
Apply every CDD trigger and threshold
- Action d’implémentation
- Apply CDD when establishing a relationship; for an occasional cash transaction at or above FRW 10 million; an occasional wire transfer at or above FRW 1 million; a casino transaction at or above FRW 3 million; a real-estate purchase or sale regardless of amount; and a precious-metals or precious-stones cash transaction at or above FRW 15 million. Aggregate linked transactions, and also apply CDD whenever suspicion exists or prior identification data may be unreliable.
- Preuves à conserver
- CDD trigger and equality matrix, linked-transaction logic, completed CDD cases, suspicion escalation and refreshed verification
- Source primaire
- AML Law 001/2025, art. 12; FIC Regulation 002/FIC/2023, art. 13
Verify before or during establishment
- Action d’implémentation
- Verify the customer and beneficial owner before or during establishment or an occasional transaction. Use deferred completion only within the narrow statutory conditions, complete it as soon as reasonably practicable and control the risks before verification finishes.
- Preuves à conserver
- Verification chronology, permitted-deferral rationale, limits, approval, completion evidence and overdue restrictions
- Source primaire
- Law 001/2025, art. 16
Stop or exit when CDD cannot be completed
- Action d’implémentation
- When required CDD cannot be completed, do not open the account, begin the relationship or perform the transaction; terminate an existing relationship where required; and consider filing an STR where necessary. If CDD itself would tip off a suspected customer, stop the CDD process and file an STR.
- Preuves à conserver
- Rejected or terminated case, reason, compliance decision, STR assessment, filing receipt and non-tipping-off controls
- Source primaire
- Law 001/2025, arts. 19-20
Make remote verification equivalent to face-to-face
- Action d’implémentation
- Identify and verify a non-face-to-face customer using procedures equivalent to face-to-face controls and implement measures against single or multiple fraudulent applications. Add document authenticity, biometric or equivalent, device, contact and behavioural controls proportionate to risk.
- Preuves à conserver
- Remote-control design, document result, liveness or equivalent evidence, device signals, fraud rules, exceptions and quality review
- Source primaire
- FIC Regulation 002/FIC/2023, art. 11
03KYB and beneficial ownershipVerify legal existence and authority, trace ownership and effective control, and reconcile AML analysis with RDB filings.6 éléments+
Verify the legal person or arrangement
- Action d’implémentation
- Verify legal name, form, existence, registered and principal addresses, governing instruments, senior managers, registration, tax identifiers, licences and representative authority using RDB, ORG and other reliable independent sources.
- Preuves à conserver
- Registry extract, governing documents, tax and licence checks, managers, representative authority and discrepancy log
- Source primaire
- Law 001/2025, arts. 13-14; RDB/ORG records
Identify the ultimate natural-person owner or controller
- Action d’implémentation
- Identify and take reasonable measures to verify the natural persons who ultimately hold a controlling ownership interest. If ownership does not reveal the beneficial owner or creates doubt, identify natural persons exercising control by other means; if none is identified, record the relevant senior managing official as the statutory fallback.
- Preuves à conserver
- Ownership chart to natural persons, controlling-interest rationale, other-control analysis, verification and fallback record
- Source primaire
- Law 001/2025, arts. 2 and 14
Identify all legal-arrangement parties
- Action d’implémentation
- For a trust, identify and verify the settlor, trustee, protector where applicable, beneficiaries or class of beneficiaries and any other natural person exercising ultimate effective control. Apply equivalent analysis to a similar arrangement.
- Preuves à conserver
- Trust or arrangement instrument, party register, identity verification, control map and beneficiary-class analysis
- Source primaire
- Law 001/2025, art. 14
Apply the current AML beneficial-owner cascade
- Action d’implémentation
- Law No. 001/2025 sets no percentage. Operationalise FIC Guidelines No. 002/2025 by identifying natural persons with more than 25% of shares, at least 25% of voting rights, control by other means and, only if no natural person is identified, the senior-management fallback. Use a conservative at-least-25% implementation where systems need one threshold and document the official-text distinction.
- Preuves à conserver
- Ownership and voting chart, threshold logic, other-control analysis, verification, fallback record and legal rationale
- Source primaire
- AML Law 001/2025, art. 14; FIC Guidelines 002/2025
File, reconcile and refresh beneficial ownership
- Action d’implémentation
- For RDB/ORG filing, apply the registry guidance's at-least-25% ownership step plus control by other means. Keep the RDB and AML analyses separate and reconcile discrepancies. Update beneficial-owner information within 15 days after a change, after identifying outdated information, or after a specified risk trigger. Refresh higher-, medium- and lower-risk BO files at least every one, two and three years respectively, and maintain the internal register and supporting evidence.
- Preuves à conserver
- Separate AML and registry analyses, RDB filing, 15-day change, stale-data and risk-trigger workflow, 1/2/3-year review calendar, internal register and reconciliation
- Source primaire
- FIC Guidelines 002/2025, section 6.3; RDB BO Guidelines
Verify licences and operating reality
- Action d’implémentation
- Confirm the entity holds every required sector licence; business registration alone does not authorise financial services. Compare directors, locations, websites, settlement accounts, contracts and transaction activity to the claimed business and escalate shell or nominee indicators.
- Preuves à conserver
- NBR or CMA licence check, RDB record, operating-footprint evidence, account match, adverse information and decision
- Source primaire
- NBR Consumer Protection Booklet; applicable licensing law
04Risk, PEPs and targeted financial sanctionsOperate documented enterprise and customer risk assessment, mandatory PEP controls and immediate 2025 TFS measures.6 éléments+
Assess enterprise-wide ML/TF/PF risk
- Action d’implémentation
- Identify, assess, understand and document risks from customers, beneficial owners, countries, products, services, transactions, delivery channels, technologies, agents and outsourcing. Update the assessment after material change and use Rwanda's national risk assessment as an input.
- Preuves à conserver
- Approved methodology, data inputs, assessment, residual-risk decisions, update log and remediation plan
- Source primaire
- Law 001/2025; Payment Service Provider Regulation 2023, art. 46; Rwanda NRA 2024
Assign and explain relationship risk
- Action d’implémentation
- Assign a documented rating using ownership, PEP, sanctions, business, product, channel, transaction and geographic factors. Ensure risk drives CDD depth, approval, monitoring and review frequency and that overrides are controlled.
- Preuves à conserver
- Scoring methodology, input data, rating, override record, approval and next-review date
- Source primaire
- Law 001/2025; FIC Regulation 002/FIC/2023
Identify PEPs and connected persons
- Action d’implémentation
- Use risk-management systems to identify whether a customer or beneficial owner is a foreign or domestic PEP or a person entrusted by an international organisation, and identify covered family members and close associates. Repeat screening throughout the relationship.
- Preuves à conserver
- PEP screening, relationship map, source data, alert decisions and rescreening
- Source primaire
- Law 001/2025, art. 22
Apply mandatory PEP controls
- Action d’implémentation
- Obtain senior-management approval before establishing or continuing the relationship, take reasonable measures to establish source of wealth and source of funds and apply enhanced ongoing monitoring proportionate to risk.
- Preuves à conserver
- Senior approval, source-of-wealth and source-of-funds substantiation, EDD file and monitoring plan
- Source primaire
- Law 001/2025, art. 22
Screen UN and domestic lists continuously
- Action d’implémentation
- Screen customers, beneficial owners, controllers, representatives and transaction parties against current UN and Rwanda domestic designation lists before onboarding, before relevant transactions and immediately after FIC list notices. Subscribe to and operationalise current FIC public notices.
- Preuves à conserver
- Authoritative-list inventory, notice subscription, update log, screening results, alert decisions and QA
- Source primaire
- Law 001/2025; FIC Regulation 001/FIC/2025; FIC Public Notices
Execute the exact TFS without-delay sequence
- Action d’implémentation
- After FIC notification, complete screening within five hours. If there is no match, report that outcome within two hours after screening. If there is a match, apply the targeted financial sanctions and prohibitions and report within six hours after screening. Complete the full designation-to-screening-to-freezing-and-reporting process within 24 hours after designation. Without prior notice freeze or seize linked assets, prohibit direct or indirect availability and submit the required STR or SAR when designated assets are identified.
- Preuves à conserver
- Designation, notification and screening timestamps, two-hour no-match report or six-hour match action, asset scope, freeze record, STR or SAR receipt and release authority
- Source primaire
- FIC Regulation 001/FIC/2025; January 2026 Without-Delay Guidance
05Enhanced due diligence and higher-risk controlsApply proportionate additional measures to higher-risk customers, jurisdictions, structures, products and counterparties.5 éléments+
Apply EDD when risk or suspicion is elevated
- Action d’implémentation
- Obtain additional identity, ownership, business, purpose, source-of-funds and source-of-wealth information; require senior approval; deepen and increase monitoring; and document why residual risk remains acceptable.
- Preuves à conserver
- EDD checklist, corroborating records, approval, monitoring plan and review date
- Source primaire
- Law 001/2025, art. 18; FIC Regulation 002/FIC/2023, art. 8
Apply high-risk-country measures without blanket de-risking
- Action d’implémentation
- Apply enhanced CDD and any FIC or supervisory countermeasures to relationships and transactions involving identified high-risk countries. Document the current authority, risk basis and humanitarian or legitimate-activity safeguards.
- Preuves à conserver
- Country-risk methodology, FIC notice, EDD, countermeasure decision and exception governance
- Source primaire
- FIC Regulation 002/FIC/2023, arts. 16 and 24
Control correspondent banking
- Action d’implémentation
- Before entering a cross-border correspondent or similar relationship, understand the respondent's business, ownership, reputation, supervision and AML controls; establish responsibilities; obtain senior approval; and prohibit shell-bank exposure and uncontrolled payable-through access.
- Preuves à conserver
- Correspondent questionnaire, public-source checks, control assessment, approval, agreement and review
- Source primaire
- Law 001/2025, art. 23; FIC Regulation 002/FIC/2023, art. 17
Control third-party reliance
- Action d’implémentation
- Rely on another party only under the statutory conditions, obtain CDD information immediately, ensure records can be supplied within 24 hours after request and retain ultimate responsibility. Apply group controls where reliance is intra-group.
- Preuves à conserver
- Reliance due diligence, agreement, information receipt, 24-hour retrieval test, monitoring and exit plan
- Source primaire
- Law 001/2025, art. 28
Investigate complex and unusual transactions
- Action d’implémentation
- Pay special attention to complex, unusual and large transactions with no apparent lawful or economic purpose. Examine background, source and purpose, document findings and submit the required report to FIC when the applicable rule requires.
- Preuves à conserver
- Alert, investigation chronology, customer explanation, corroboration, written findings and FIC receipt
- Source primaire
- FIC Regulation 002/FIC/2023, art. 12
06Monitoring, wires and payment-service controlsKeep CDD current, monitor activity and preserve complete originator and beneficiary information through every payment role.7 éléments+
Monitor transactions throughout the relationship
- Action d’implémentation
- Monitor actual activity against the customer's purpose, business, source, expected behaviour and risk. Use appropriately calibrated scenarios, link related transactions and provide investigators with complete data and case context.
- Preuves à conserver
- Monitoring coverage, data lineage, scenario inventory, alert cases, tuning, QA and metrics
- Source primaire
- Law 001/2025; Payment Service Provider Regulation 2023, art. 46
Refresh on risk and trigger events
- Action d’implémentation
- Update identity, beneficial ownership, business, expected activity, PEP, sanctions and risk information according to materiality and risk and after ownership changes, unusual activity, document expiry, new products or adverse information.
- Preuves à conserver
- Risk-based review schedule, trigger feed, updated CDD, rescreening, rating and overdue controls
- Source primaire
- Law 001/2025, art. 17; FIC Regulation 002/FIC/2023, art. 15
Capture complete wire information
- Action d’implémentation
- Apply the required originator and beneficiary data to domestic and cross-border wire transfers, with the exact threshold treatment in the current FIC rule. Preserve account or unique-reference traceability and required identity and address or equivalent data.
- Preuves à conserver
- Payment-message specification, validation, domestic and cross-border samples, traceability and exception report
- Source primaire
- Law 001/2025, arts. 25-27; FIC Regulation 002/FIC/2023, arts. 18 and 22
Apply ordering, intermediary and beneficiary duties
- Action d’implémentation
- Detect missing wire information and apply role-specific verification, retention, suspension, rejection, monitoring and STR decisions. Where one provider controls both sides, consider all information from the ordering and beneficiary sides when deciding whether to report.
- Preuves à conserver
- Role matrix, missing-data rules, repair and reject queue, decision records, retention and STR receipt
- Source primaire
- Law 001/2025, arts. 25-27; FIC Regulation 002/FIC/2023, arts. 19-21
Obtain approval for agents and material outsourcing
- Action d’implémentation
- Obtain prior National Bank of Rwanda approval before using a payment agent and prior written approval before outsourcing an important operational function. Perform due diligence, contract for AML, privacy, records, audit and incident rights, train and monitor approved agents and providers, and retain accountability for outsourced controls.
- Preuves à conserver
- NBR approvals, due-diligence file, contract, agent and provider registers, training, monitoring, incidents and termination log
- Source primaire
- Law 061/2021 governing payment systems, arts. 29-30
Perform PSP CDD before service and retain payer/payee identity
- Action d’implémentation
- A payment service provider must perform CDD and KYC before providing service and retain identification information for the payer and payee regardless of their location. Map this requirement into onboarding, payment-message, retention and retrieval controls.
- Preuves à conserver
- Pre-service CDD gate, payer and payee fields, retention configuration and retrieval test
- Source primaire
- Payment Service Provider Regulation 2023, art. 45
Prevent shell-bank relationships
- Action d’implémentation
- A payment service provider and financial institution must not deal with shell banks or shell financial institutions or permit its accounts to be used by them. Screen counterparties and escalation indicators before and during the relationship.
- Preuves à conserver
- Counterparty policy, ownership and physical-presence checks, attestations, screening and review
- Source primaire
- Payment Service Provider Regulation 2023, art. 46; Law 001/2025
07Reporting, records, privacy and assuranceMeet FIC reporting clocks, preserve ten-year evidence and operate Rwanda's controller and processor registration, breach and transfer controls.7 éléments+
File suspicious activity within 24 hours
- Action d’implémentation
- Promptly submit an STR or suspicious-activity report to FIC within 24 hours using the template and electronic or other channel set by FIC. Report regardless of amount when the suspicion test is met and maintain strict non-tipping-off controls.
- Preuves à conserver
- Case chronology, compliance decision, FIC report, submission receipt, access log and communication controls
- Source primaire
- FIC Regulation 002/FIC/2023, art. 29; Law 001/2025, arts. 32 and 34
Submit threshold reports within two working days
- Action d’implémentation
- Under the published operational rule, report financial-institution cash at or above FRW 10 million, subject to the stated inter-financial-institution exception; an occasional-customer transaction above FRW 10 million; casino cash at or above FRW 3 million; precious-metals or stones dealer cash at or above FRW 15 million; and wire transfers at or above FRW 1 million. Preserve those greater-than versus at-least operators. Linked transactions are reportable when their combined total exceeds the applicable threshold. File the FIC template within two working days from the transaction day and confirm continued applicability under Law No. 001/2025.
- Preuves à conserver
- Threshold and equality register, combined-total linked logic, reports, two-working-day timeline, receipts and legal confirmation
- Source primaire
- FIC Regulation 002/FIC/2023, arts. 31-32
Retain retrievable records for at least ten years
- Action d’implémentation
- Keep domestic and international transaction records, CDD files, business correspondence, analysis results, STRs and other FIC reports and supporting documents for at least ten years after the transaction, relationship termination or occasional transaction. Ensure swift retrieval for competent authorities.
- Preuves à conserver
- Retention schedule, repository controls, sample retrieval, legal holds, access logs and deletion evidence
- Source primaire
- Law 001/2025, art. 21
Register controllers and processors and appoint DPOs when triggered
- Action d’implémentation
- Before operating as a data controller or processor, register with the Data Protection and Privacy Office and maintain a valid certificate. Apply for renewal within 45 working days before expiry and report changes. Appoint a personal-data protection officer when one of Article 40's statutory triggers applies, rather than treating appointment as universal. A non-established organisation processing data of people in Rwanda must designate a written representative in Rwanda.
- Preuves à conserver
- Registration certificate, renewal diary, change notifications, Article 40 DPO assessment and appointment where triggered, local representative and processing inventory
- Source primaire
- Law 058/2021, arts. 29-36 and 40; DPO Registration Guide
Apply lawful, transparent and secure processing
- Action d’implémentation
- Map processing to a lawful basis, give required notices, limit data to stated purposes, maintain accuracy, define retention, support data-subject rights, log processing, protect data with appropriate technical and organisational measures and contractually govern processors.
- Preuves à conserver
- Lawful-basis register, notices, records of processing, rights log, security tests, access review and processor agreements
- Source primaire
- Law 058/2021, arts. 4-17, 37-42 and 46-47
Meet the 48-hour and 72-hour breach clocks
- Action d’implémentation
- Communicate a personal-data breach to the supervisory authority within 48 hours after awareness and submit the detailed breach report no later than 72 hours. A processor must notify the controller within 48 hours. Communicate high-risk breaches to affected data subjects unless a statutory exception applies.
- Preuves à conserver
- Incident chronology, 48-hour notice, 72-hour report, processor notice, subject communication and remediation
- Source primaire
- Law 058/2021, arts. 43-45; DPO Breach Report Form
Separate cross-border transfer grounds from offshore storage approval
- Action d’implémentation
- For a transfer outside Rwanda, document one of Article 48's alternative lawful grounds and the applicable safeguards; supervisory authorisation is not the only possible transfer basis. Separately, obtain the valid Article 50 certificate authorising storage of personal data outside Rwanda. Record destination, purpose, recipient, security, contracts and the selected statutory route.
- Preuves à conserver
- Data map, Article 48 transfer assessment, safeguards, Article 50 storage certificate, contracts, security assessment and transfer register
- Source primaire
- Law 058/2021, arts. 48 and 50; DPO transfer, storage and retention guidance

7 domaines de contrôle et 43 vérifications d'implémentation avec sources réglementaires directes.
Téléchargez la checklist KYC, KYB et AML pour Rwanda
Partagez vos coordonnées professionnelles pour accéder immédiatement à la checklist d'implémentation sourcée pour Rwanda. Date de revue réglementaire : 15 July 2026.
Recevez le PDF immédiatement
Envoyez vos coordonnées pour démarrer automatiquement le téléchargement
Revue et sourcée
Version 1.0, revue le 15 July 2026
Approuvé par des équipes conformité de premier plan
Registre des sources primaires
24 sources utilisées pour cette checklist
Utilisez ces liens pour vérifier la législation, les lignes directrices, les procédures de déclaration et les statuts internationaux.
- Law No. 001/2025 on prevention and punishment of money laundering, terrorist financing and proliferation financingFinancial Intelligence Centre Rwanda · primary
- Regulation No. 002/FIC/2023 relating to AML/CFT/CPFFinancial Intelligence Centre Rwanda · primary
- Regulation No. 001/FIC/2025 on targeted financial sanctionsFinancial Intelligence Centre Rwanda · primary
- FIC Guidelines No. 002/2025 on Transparency and Beneficial OwnershipFinancial Intelligence Centre Rwanda · primary
- Guidance on implementation of the without-delay principle for TFS, January 2026Financial Intelligence Centre Rwanda · primary
- FIC Guideline No. 001/2025 on AML/CFT/CPF Independent AuditFinancial Intelligence Centre Rwanda · primary
- FIC record-keeping guidance, January 2026Financial Intelligence Centre Rwanda · primary
- Law No. 002/2025 amending the law governing the Financial Intelligence CentreFinancial Intelligence Centre Rwanda · primary
- FIC public notices on current targeted financial sanctionsFinancial Intelligence Centre Rwanda · primary
- FIC mandate and reporting responsibilitiesFinancial Intelligence Centre Rwanda · primary
- 2024 National Money Laundering and Terrorist Financing Risk AssessmentFinancial Intelligence Centre Rwanda · primary
- Regulation governing payment service providers, 2023National Bank of Rwanda · primary
- Law No. 061/2021 governing the payment systemNational Bank of Rwanda · primary
- Payment systems legal instrumentsNational Bank of Rwanda · primary
- Beneficial Ownership GuidelinesRwanda Office of the Registrar General · primary
- Beneficial Ownership Requirements and FormsRwanda Office of the Registrar General · primary
- Beneficial Owners RegisterRwanda Development Board · primary
- Rwanda personal-data and privacy law guidanceData Protection and Privacy Office · primary
- Personal-data sharing, transfer, storage and retention guidanceData Protection and Privacy Office · primary
- Controller and processor registration guideData Protection and Privacy Office · primary
- Personal Data Breach Report FormData Protection and Privacy Office · primary
- Jurisdictions under Increased Monitoring, 19 June 2026FATF · primary
- AML Compliance in Rwanda 2026VOVE ID · contextual
- KYB in Rwanda 2026VOVE ID · contextual
Réponses directes
Questions KYC, KYB et AML pour Rwanda
What is Rwanda's current AML law?+
Law No. 001/2025 of 22 January 2025 is the current national AML/CFT/CPF law. It repealed Law No. 028/2023.
How quickly must an STR be filed in Rwanda?+
The published FIC operational regulation requires prompt submission within 24 hours using the FIC template and prescribed channel.
What beneficial-owner percentage applies?+
Law No. 001/2025 sets no percentage. FIC Guidelines No. 002/2025 use more than 25% of shares, at least 25% of voting rights, control by other means and senior-management fallback; RDB guidance uses at least 25% plus control. A conservative at-least-25% implementation should document these official-text distinctions and keep AML and registry analyses separate.
What are Rwanda's personal-data breach deadlines?+
The controller communicates the breach to the supervisory authority within 48 hours after awareness and submits the detailed report no later than 72 hours. A processor notifies the controller within 48 hours.
Méthode de recherche et de revue
VOVE ID Compliance Research cartographie le périmètre réglementaire, traduit les obligations en contrôles opérationnels, relie les affirmations importantes aux sources et date chaque revue.
VOVE ID Compliance Research · Revue le 15 July 2026 · Version 1.0
This checklist is general compliance information, not legal advice. Law No. 001/2025 is the current national AML/CFT/CPF baseline and repealed Law No. 028/2023. FIC Regulation No. 002/FIC/2023 is cited because FIC continues to publish it for operational reporting, CDD, wire and threshold rules; confirm its current application and any replacement or amendment directly with FIC. Add the current sector rules of the National Bank of Rwanda, Capital Market Authority, insurance, gaming, professional or other competent supervisor before implementation.