Beyond Checklists: What New AML/CFT Regulations Mean for Banks, Fintechs and SACCOs

In September 2025, Kenya’s financial regulator issued compliance notices to 35 savings and credit cooperatives (SACCOs), warning of sanctions for failures in anti-money laundering controls. The message was clear across East Africa’s financial sector: the era of light-touch supervision had come to an end. From amendments to Kenya’s Proceeds of Crime and Anti-Money Laundering Act to updated guidance under Uganda’s national risk assessment and tighter oversight in Tanzania, the region is undergoing its most significant financial-crime compliance overhaul in more than a decade.

Driven by pressure from the Financial Action Task Force(FATF) and the European Commission, rapid fintech growth, and rising cross-border fraud, regulators are shifting from form-based reporting toward risk-based, technology-driven supervision. The stakes are rising quickly, and non-compliance now carries heavier penalties, potential criminal liability for executives, and the risk of losing correspondent banking relationships. For banks, fintechs, and SACCOs alike, the challenge is clear: modernise compliance systems quickly or risk being left behind.

Background

Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) regulations form the global framework designed to prevent criminals from disguising illicit funds as legitimate income and to block financial flows supporting terrorist activities. These controls protect the integrity of the financial system, maintain public trust, and safeguard institutions from being exploited for criminal purposes. For East Africa, AML/CFT compliance carries significance beyond domestic concerns. The FATF not only sets international standards but also regularly evaluates various national compliance frameworks. The grey and blacklisting consequences that follow non-compliance can devastate economies by restricting access to international financial markets, limiting cross-border transactions, and discouraging foreign investment.

Correspondent banks, operating under intense scrutiny from their own regulators, increasingly refuse relationships with institutions that demonstrate weak AML controls. This external pressure has transformed compliance from a bureaucratic formality into a strategic imperative: without robust AML/CFT systems, East African financial institutions risk being isolated from the global financial system.​​​​​​​​​​​​​​​​

Why Reform Is Accelerating Now ‍

First, FATF and EU evaluation cycles have placed several African nations under intense scrutiny, with several countries facing grey-list threats that would severely damage their access to international financial markets. The reputational and economic costs of such designations have concentrated regulatory minds across the region. ‍

Second, the meteoric rise of mobile money and fintech platforms has fundamentally transformed the financial landscape. East Africa leads the world in mobile money penetration, but this innovation has created new vulnerabilities. Digital channels enable faster, more complex transactions that traditional monitoring systems struggle to track, expanding the environment for money laundering and terrorist financing.

Third, cross-border financial crime has become more sophisticated. Cyber-enabled fraud, trade-based money laundering, and the emergence of virtual asset service providers (VASPs) have created compliance challenges that yesterday’s regulations were never designed to address.

Finally, correspondent banks, burned by previous scandals and facing their own heightened regulatory pressures, are demanding higher Know Your Customer (KYC) and Know Your Business (KYB) standards from African partners. Institutions that cannot demonstrate robust AML controls risk losing these critical relationships, effectively cutting them off from international payment systems.

What the New Rules Require

At the core is a fundamental shift to risk-based compliance. Rather than applying uniform procedures to all customers, institutions must now assess individual risk profiles and apply enhanced due diligence to high-risk categories. This includes politically exposed persons, cross-border transactions, cash-intensive businesses, and customers from high-risk jurisdictions.

Beneficial ownership requirements have tightened. Financial institutions must now identify and verify the ultimate beneficial owners of corporate customers, piercing through complex ownership structures and nominee arrangements. For many SACCOs accustomed to dealing primarily with individual members, this represents entirely new territory.

Transaction monitoring expectations have escalated from periodic reviews to real-time or near-real-time surveillance. Institutions must implement systems capable of detecting unusual patterns, flagging suspicious transactions, and generating timely suspicious transaction reports (STRs). Reporting thresholds for cash transactions have been lowered, capturing a wider net of activity.

Governance requirements now extend to the board level. Directors must receive AML/CFT training, institutions must establish dedicated compliance functions, and larger entities need board-level risk committees with specific AML oversight mandates. The regulations also expand the definition of reporting institutions, bringing fintechs, payment service providers, and even some professional service firms into the regulatory perimeter for the first time. ‍

Differential Impact Across Institution Types

‍The compliance burden falls unevenly across East Africa’s diverse financial sector.

Commercial banks, while better resourced, face significant technology upgrade costs. Legacy transaction monitoring systems must be replaced with AI-driven platforms capable of analysing vast data volumes in real time. Banks must also navigate intensified scrutiny from correspondent banking partners. The cost of RegTech solutions, encompassing KYC utilities, sanctions screening, and behavioural analytics, represents a substantial capital investment. ‍

Fintechs and mobile money operators face a paradox. Their digital infrastructure should make compliance easier, yet many were built for speed and scale rather than regulatory rigor. Now classified as reporting institutions, they must implement identity verification systems that balance security with user experience. Overly cumbersome KYC processes risk slowing customer onboarding and dampening the growth that made fintech attractive to investors. The sector must also grapple with agent networks, third parties who often serve as the customer-facing layer but may lack adequate training or oversight.

SACCOs and microfinance institutions confront the most severe adjustment. Historically subject to lighter supervision, they now face bank-level compliance expectations without bank-level resources. The September 2025 enforcement action against 35 Kenyan SACCOs illustrates the urgency: institutions must hire compliance professionals, establish AML committees, digitise member records, and implement monitoring systems, all while serving communities that depend on low-cost, accessible financial services.

Navigating Operational Challenges

‍Data quality poses another fundamental obstacle. Effective AML systems depend on accurate, complete customer information, but many institutions, especially SACCOs, have incomplete records, inconsistent data formats, and limited historical documentation. Cleaning and standardising this data represents a massive undertaking before modern monitoring tools can even be deployed.

Regulatory complexity adds another layer of difficulty. Institutions operating across borders must navigate overlapping national requirements, while the relationship between central bank supervision, financial intelligence units, and sector-specific regulators sometimes creates conflicting guidance or duplicative reporting obligations. ‍

Strategic Opportunities

Yet compliance modernisation offers strategic benefits beyond avoiding penalties. States and organisations that invest in robust AML programs strengthen their standing with correspondent banks and international investors, potentially unlocking access to cheaper funding and new partnerships. Lower fraud losses and better customer due diligence improve portfolio quality, a tangible bottom-line benefit for lenders.

Enhanced AML frameworks also position East African institutions to participate more fully in continental integration initiatives, including the African Continental Free Trade Area (AfCFTA) and the Pan-African Payment & Settlement System (PAPSS) that demand high compliance standards.

‍Conclusion ‍

East Africa’s AML/CFT transformation represents far more than a regulatory compliance exercise. It marks a fundamental restructuring of the region’s financial architecture, determining which institutions can participate in an increasingly integrated and sophisticated financial system. ‍

The compliance bar has risen permanently. Institutions that modernise their systems, invest in expertise, and embed risk-based thinking into their cultures will emerge more resilient, trusted, and competitive. Those that view compliance as merely a cost to be minimised will face mounting penalties, reputational damage, and ultimate exclusion from correspondent banking networks and international capital markets. ‍

For SACCOs and smaller institutions, the path is difficult but not impossible. Collaborative approaches, technology partnerships, and phased implementation can make compliance achievable without sacrificing their mission of financial inclusion. The window for action, however, is narrowing rapidly. Regulators across East Africa have signalled that patience has limits and enforcement will intensify.

‍ ‍