What Kenya’s AML/CFT Amendment Act 2025 Means for Every SACCO, MFI, and PSP in East Africa

--

Kenya is on the FATF Grey List. This is what that means for you.

In October 2022, the Financial Action Task Force placed Kenya under increased monitoring — what the industry calls the ‘grey list.’ It means FATF found significant deficiencies in Kenya’s AML/CFT framework. Not the kind of deficiencies you fix with a memo. Systemic ones.

The grey list has real consequences. Correspondent banks — the large international banks that enable cross-border transactions — apply enhanced scrutiny to institutions in grey-listed countries. Foreign direct investment slows. Remittances become more expensive. Regulators come under pressure to show results.

Kenya’s response was the AML/CFT Amendment Act 2025. It is now law. And most of the institutions it applies to are not ready.

Who is now in scope — and what changed

The Amendment Act 2025 expanded the definition of ‘reporting institutions’ beyond commercial banks and large fintechs. SACCOs, microfinance banks, payment service providers, mobile money operators, and money remittance businesses are now explicitly subject to the same core obligations as tier-1 banks.

The three changes that matter most:

1. MLRO with direct Board access. Every reporting institution must designate a Money Laundering Reporting Officer. The critical new requirement: the MLRO must have a direct reporting line to the Board or Board Audit Committee — not just to the CEO. This is not a box-ticking exercise. If your MLRO cannot escalate to the Board without going through the CEO first, you have a gap.

2. STR filing within 3 days of suspicion forming. The Act tightens the STR reporting timeline. From the moment reasonable suspicion forms, you have 3 days to file with the Financial Reporting Centre. Not 3 days from when the incident occurred — from when suspicion formed. This distinction matters enormously in an examination.

3. Beneficial ownership verification at 25% threshold. The Act aligns Kenya with the FATF standard on beneficial ownership: institutions must identify and verify any individual who ultimately owns or controls 25% or more of a corporate customer. This is new for many SACCOs and PSPs that have historically treated corporate onboarding as a documentation exercise.

The gap most institutions have — and why it matters now

I have reviewed compliance programs at financial institutions across East Africa. The most common gap is not malicious non-compliance. It is compliance theatre — the appearance of a program without the substance.

The tell-tale signs: an AML/CFT policy that has not been reviewed in three years. An MLRO who also runs finance. A transaction monitoring ‘system’ that is actually a spreadsheet reviewed monthly. STR filings that happen reactively, after a customer complaint, rather than proactively from transaction monitoring alerts.

These are not unusual. They are the norm in institutions below a certain size — not because the people running them are negligent, but because enterprise-grade compliance infrastructure has historically cost KES 5–15 million per year. Well beyond what a SACCO with 2,000 members can afford.

The Amendment Act 2025 changes the calculation. The penalty for non-compliance is now up to KES 5 million per violation, plus individual liability for officers. A CBK examination finding on a critical control is not a fine — it is an institutional risk.

Three things you should do in the next 30 days

You do not need a full enterprise compliance program to pass a CBK examination. You need a program that is documented, proportionate to your risk, and operated in practice — not just on paper.

1. Review your MLRO’s Terms of Reference. Does your MLRO have explicit Board reporting access in their written ToR? If not, fix it at the next Board meeting. One paragraph in the ToR. Costs nothing.

2. Pull your last 12 months of STR filings. How many did you file? If the answer is zero, that is either because you had zero suspicious transactions (unlikely) or because your monitoring is not detecting them. Both outcomes require attention before an examination.

3. Test your customer risk rating system. Take ten of your recent corporate account openings. Can you trace them from onboarding through to a documented risk rating, with justification? If you cannot produce this in 24 hours, your system exists on paper only.

The opportunity inside the obligation

Every compliance requirement is also a market signal. The institutions that build genuine AML/CFT programs in the next 12 months will be the ones that correspondent banks want to work with. The ones that attract impact investors. The ones whose CEOs can walk into a CBK examination with confidence.

The Amendment Act 2025 is not a problem to manage. It is a moat to build.

About the Author

Alex Livingstone Ongwen is an AML/CFT advisor and fractional CCO with 15 years inside African fintech and telco infrastructure, including leading service delivery for M-Pesa Africa across eight markets. He is co-founder of SightTech Solutions, a Nairobi-based RegTech company building AI-powered compliance infrastructure for East African financial institutions. He works with SACCOs, fintechs, PSPs, and MFIs on AML/CFT readiness, MLRO advisory, and operational governance.

LinkedIn: linkedin.com/in/alex-livingstone-ongwen-04a95726 | Email: [email protected] | Web: www.sighttech.io