AML/CFT Compliance in Kenya: CBK, POCAMLA, and the 2026 Regulatory Landscape

Kenya's anti-money laundering and counter-terrorism financing (AML/CFT) regime is under intense scrutiny. The Central Bank of Kenya (CBK) has been actively enhancing its oversight and enforcement measures, driven in part by the country's listing on the Financial Action Task Force (FATF) grey list in February 2024. As of April 2026, Kenya remains on the FATF grey list, with the latest FATF review in October 2025 still listing Kenya under increased monitoring. The CBK's efforts include real-time monitoring of customer transactions and enhanced supervision of mobile money operators like M-Pesa.

The Regulatory Landscape

Kenya's AML/CFT framework is primarily governed by the Proceeds of Crime and Anti-Money Laundering Act 2009 (POCAMLA), which was amended by the Finance Act 2021 and the POCAMLA Amendment Act 2023. The Prevention of Terrorism Act 2012 also plays a crucial role in addressing terrorism financing. The Central Bank of Kenya (CBK) is the primary regulator for banks, microfinance banks, money remittance providers, and digital payment service providers, including mobile money operators like M-Pesa.

The Financial Reporting Centre (FRC) serves as Kenya's Financial Intelligence Unit (FIU), responsible for receiving, analyzing, and disseminating financial intelligence to relevant authorities. Kenya's regulatory framework is also influenced by its membership in the East African Community (EAC) and cooperation with international bodies such as the FATF.

CBK's Enhanced Supervision and Enforcement

In 2025, the CBK introduced new measures to enhance its supervision and enforcement of AML/CFT regulations. These measures include real-time monitoring of customer transactions across banking, mobile money, and electronic payment systems. This move aims to improve oversight and risk detection, particularly in the mobile money sector, which processes over $300 billion annually.

The CBK has also partnered with international bodies, such as the UK Treasury, to strengthen oversight of non-bank financial institutions and curb illicit financial flows. These efforts are part of Kenya's broader strategy to address the FATF's concerns and improve compliance with international AML/CFT standards.

Customer Due Diligence and KYC

Kenyan financial institutions are required to implement customer due diligence (CDD) measures, including verifying the identity of customers, understanding the nature of their business, and monitoring their transactions. The CBK has provided guidance on the implementation of CDD and know-your-customer (KYC) requirements, emphasizing the importance of risk-based approaches.

Financial institutions are expected to maintain records of customer transactions and report suspicious activities to the FRC. The CBK has also emphasized the importance of ongoing monitoring and reporting of suspicious transactions.

Sanctions Screening

Kenyan financial institutions are required to implement sanctions screening measures to prevent dealing with individuals or entities subject to sanctions. The CBK has provided guidance on the implementation of sanctions screening, emphasizing the importance of real-time screening and ongoing monitoring.

SAR/STR Reporting

Financial institutions in Kenya are required to submit Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) to the FRC when they suspect that a transaction may be related to money laundering or terrorism financing. The CBK has provided guidance on the implementation of SAR/STR reporting, emphasizing the importance of timely reporting and confidentiality.

Risk-Based Approach

The CBK requires financial institutions to implement a risk-based approach to AML/CFT, which involves assessing the risk of money laundering and terrorism financing associated with each customer and transaction. Financial institutions must maintain risk assessments and mitigation measures to address identified risks.

Crypto-Assets and Virtual Asset Service Providers (VASPs)

Kenya has introduced regulations for Virtual Asset Service Providers (VASPs), which are required to obtain licenses and comply with AML/CFT regulations. The Capital Markets (Virtual Assets) Regulations draft 2024 and the CBK digital asset public consultation 2025 reflect the country's efforts to regulate virtual assets and enhance financial integrity.

Recent Enforcement

The CBK has taken enforcement actions against financial institutions that have failed to comply with AML/CFT regulations, including revoking licenses and imposing penalties. In 2025, the CBK revoked the licenses of several forex bureaus and imposed penalties on banks for KYC lapses.

Practical Compliance Checklist for Kenyan Institutions

Common Pitfalls

Three patterns dominate recent enforcement files in Kenya. The first is inadequate customer due diligence: institutions that have failed to properly verify customer identities and assess risks have faced regulatory penalties. The second is inadequate transaction monitoring: institutions that have failed to monitor transactions effectively have faced penalties for facilitating suspicious activities. The third is insufficient reporting: institutions that have failed to report suspicious activities in a timely manner have faced penalties for non-compliance.

How RegMantle Helps

RegMantle generates jurisdiction-specific AML/CFT documentation for Kenyan institutions, citing the POCAMLA, CBK regulations, and applicable international standards directly in the text. Generated documents include the institution-wide risk assessment, AML/CFT policy manual, KYC/CDD procedures aligned with POCAMLA requirements, sanctions screening policy referencing the UN Consolidated Financial Sanctions List, SAR/STR procedures keyed to Section 24 POCAMLA and the FRC guidelines, and the staff training programme required under Section 13 POCAMLA.