Kenya's FATF Grey Listing: What It Means for AML/CFT Compliance Programs at Regulated Institutions

On 23 February 2024, the Financial Action Task Force placed Kenya on its list of Jurisdictions under Increased Monitoring — commonly known as the grey list. More than two years later, Kenya remains on it. The listing followed a mutual evaluation that identified systemic weaknesses in the country's framework for combating money laundering, terrorism financing, and proliferation financing. The gaps were specific: insufficient prosecution of money laundering cases, inadequate supervision of virtual asset service providers, weak oversight of non-profit organisations, and incomplete beneficial ownership transparency.

For the government, grey-listing is a policy and funding challenge. The Financial Reporting Centre — Kenya's financial intelligence unit — requested Sh2.49 billion for the 2026/27 fiscal year but received an allocation ceiling of just Sh765.5 million. After deducting personnel costs and fixed administrative expenses, operational funds stood at zero. The National Assembly's finance committee subsequently recommended an additional Sh388 million allocation, but even this would leave the FRC below its minimum operational threshold of Sh1.33 billion. The agency's director-general was clear: Kenya cannot exit the grey list without a well-funded exit plan.

For regulated private institutions — banks, SACCOs, insurers, fintechs, forex bureaus, lawyers, real-estate firms, and other designated non-financial businesses and professions — the grey listing is not primarily a government problem. It is a compliance obligation that demands structured, auditable, and technology-supported AML/CFT controls. The enhanced scrutiny that grey-listing triggers from correspondent banks, international investors, and development finance institutions falls directly on private-sector balance sheets. This article examines what the FATF findings mean for institutional compliance programs, and what structured AML/CFT governance must look like in practice.

What the FATF Found: The Specific Gaps That Matter for Institutions

The FATF mutual evaluation identified several categories of weakness. Each has direct implications for private institutions. Beneficial ownership transparency was flagged as inadequate — meaning institutions cannot rely on public registries alone to establish who ultimately owns or controls their customers and counterparties. Virtual asset service providers, including cryptocurrency exchanges and wallet providers, lack a comprehensive supervisory framework, exposing financial institutions that interact with digital asset flows to unmonitored risk channels. Non-profit organisations were cited for insufficient oversight, which matters for banks and SACCOs that hold NPO deposits and process their transactions. And money laundering prosecutions remain too few relative to the volume of suspicious activity, signalling that the enforcement chain from detection through investigation to conviction has structural bottlenecks.

For a compliance officer at a Kenyan bank or insurance company, these gaps translate into heightened risk in everyday operations. Customer due diligence processes must compensate for the absence of reliable beneficial ownership registries. Transaction monitoring must account for digital asset flows that may pass through inadequately supervised intermediaries. And the institution's own suspicious transaction reporting and case management must be rigorous enough to withstand the international scrutiny that grey-listing invites — because correspondent banks and cross-border counterparties will be asking.

The Cost of Grey-Listing for Regulated Institutions

Grey-listing does not impose formal sanctions, but its consequences for private institutions are real and measurable. Correspondent banking relationships — the infrastructure through which Kenyan banks process international payments — come under enhanced due diligence requirements from foreign counterparts. Transaction processing times increase. Compliance documentation demands multiply. In some cases, correspondent banks reduce exposure or exit relationships entirely, forcing Kenyan institutions to find alternative clearing channels at higher cost.

Cross-border investors and development finance institutions subject Kenyan portfolio companies and investees to heightened governance scrutiny. For insurers seeking reinsurance in international markets, the grey listing raises the compliance bar that treaty and facultative partners apply. For SACCOs that hold member deposits and process transactions, the risk is indirect but significant — their banking relationships carry the grey-listing premium, and any AML/CFT deficiency at the SACCO level compounds the exposure.

The Metropolitan National Sacco crisis illustrates what happens when governance and financial integrity infrastructure fail at scale. The sacco reported a loan book of Sh17.2 billion with a default rate of 98.99 percent at the close of 2024, negative equity of Sh12 billion, and an untraceable Sh50 billion in historical lending. Nineteen former officials have been charged with conspiracy to defraud the institution of Sh14.49 billion. Members are suing through the Co-operative Tribunal to recover their deposits. While Metropolitan's failure is extreme, it demonstrates the governance vacuum that weak AML/CFT and risk infrastructure can create — and the regulatory, legal, and reputational costs that follow.

What a Structured AML/CFT Compliance Program Requires

An AML/CFT compliance program that meets FATF expectations and satisfies the enhanced scrutiny of grey-listing is not a checklist or a policy document. It is an operating system with specific, integrated components: a risk assessment methodology that identifies, scores, and monitors money laundering and terrorism financing risks across customer types, product lines, geographies, and delivery channels; customer due diligence procedures that establish and verify beneficial ownership, not just the nominal account holder; transaction monitoring that detects patterns consistent with laundering, fraud, or terrorism financing and generates alerts for investigation; a suspicious transaction reporting workflow that captures, investigates, documents, and files STRs with the Financial Reporting Centre within the required timelines; and sanctions and PEP screening that checks customers and transactions against current sanctions lists, politically exposed person databases, and adverse media sources.

Each of these components must be documented, auditable, and defensible under regulatory examination. The institution must be able to demonstrate not just that the controls exist, but that they operate effectively — that alerts are investigated, that STRs are filed, that CDD is refreshed on schedule, and that the board risk committee receives regular reporting on the institution's AML/CFT risk posture.

ML/TF Risk Assessment: The Foundation of the Program

The ML/TF risk assessment is the foundation on which every other control is built. It identifies the specific money laundering and terrorism financing risks to which the institution is exposed — by customer segment, by product, by geography, and by delivery channel — and assigns a risk rating that drives the intensity of monitoring and due diligence applied. Without a structured risk assessment, institutions apply controls uniformly and inefficiently, subjecting low-risk customers to excessive friction while potentially under-monitoring high-risk segments.

The risk assessment must be documented, approved by the board or a designated committee, reviewed at defined intervals, and updated when the institution's risk profile changes — for example, when new products are launched, new customer segments are onboarded, or the regulatory environment shifts. In the context of FATF grey-listing, the risk assessment must explicitly address the gaps identified in the mutual evaluation: beneficial ownership risk, exposure to virtual asset flows, and NPO-related risk.

Transaction Monitoring, Screening, and Reporting

Transaction monitoring must be calibrated to detect patterns that are meaningful in the Kenyan context — including mobile money flows, agent banking activity, and cash-intensive business patterns that characterise significant portions of the economy. Global monitoring tools often generate excessive false positives because their rule sets and anomaly models are trained on banking patterns in developed markets. Institutions operating in Kenya need monitoring that reflects local transaction patterns, Swahili and Somali name variants, and the specific typologies that Kenyan regulatory guidance has identified.

Sanctions and PEP screening must operate on current lists, with name-matching logic that accounts for local naming conventions. A screening tool that misses matches because it cannot handle Kenyan name structures is a control that fails in production. Suspicious transaction reporting must follow a documented workflow: detection, investigation, documentation, escalation, filing, and feedback. Every step must be recorded in an audit trail that regulators and auditors can examine.

Board Oversight and Regulatory Reporting

AML/CFT compliance is a board-level responsibility. The board — or a designated risk or compliance committee — must receive regular reporting on the institution's AML/CFT risk posture, the volume and disposition of alerts, STR filing activity, the results of CDD refresh cycles, and any regulatory findings or actions. This reporting must be structured, consistent, and based on data — not on ad hoc management representation.

In the current environment, boards at Kenyan institutions face a specific governance question: can the institution demonstrate to its correspondent banks, its regulator, and its auditors that its AML/CFT program is operating effectively? The answer requires not just policies and procedures, but evidence — auditable records of risk assessments conducted, alerts investigated, STRs filed, and sanctions screening completed. That evidence must be generated continuously, not assembled retrospectively for an examination.

Technology Infrastructure for AML/CFT Compliance

The scale and complexity of AML/CFT compliance — transaction monitoring across multiple channels, sanctions screening against frequently updated lists, CDD refresh cycles across the customer base, and board-level reporting — exceeds what manual processes and spreadsheets can sustain. Institutions need structured technology infrastructure that automates monitoring, generates alerts, manages investigation workflows, produces audit trails, and delivers real-time risk dashboards to the compliance function and the board.

Trigarc Risk provides this infrastructure through its AML/CFT and fraud risk capability area, which includes ML/TF risk assessment, customer risk rating, transaction monitoring configuration, sanctions and PEP screening workflows, SAR/STR case management, and board risk reporting — integrated with the broader enterprise risk register so that AML/CFT risk is visible alongside credit, operational, and strategic risks in one view.

Moving From Reactive to Structured AML/CFT Governance

Kenya's path off the FATF grey list depends on government action — funding the FRC, passing beneficial ownership legislation, establishing VASP supervision, and increasing money laundering prosecutions. But the compliance obligations on private institutions exist regardless of the government's timeline. Banks, SACCOs, insurers, and fintechs that wait for the government to fix the infrastructure before strengthening their own AML/CFT programs are accepting risk that their boards, their regulators, and their correspondent banking partners will eventually price.

The institutions that emerge strongest from the grey-listing period will be those that used the pressure as a catalyst to build AML/CFT programs that are not merely compliant but operationally effective — structured risk assessments, calibrated monitoring, efficient investigation workflows, and board reporting that turns compliance data into governance intelligence. That is not a regulatory burden. It is a competitive advantage in a market where financial integrity is increasingly the price of access to international capital and commerce.