The Financial Action Task Force (FATF), as the global standard-setting body for anti-money laundering (AML), countering the financing of terrorism (CFT), and counter proliferation financing (CPF), underscores the critical role of independent AML/CFT audits under Recommendation 18.
Section 43 of the Proceeds of Crime and Anti-Money Laundering Regulations, 2023 mandates reporting institutions to adopt independent audit functions to check AML/CFT compliance by the institution.
The Insurance Regulatory Authority (IRA), as the sector-specific supervisory body, reinforces this requirement through its Guidance Note on Independent Review of the AML Compliance Program (issued June 2025) and The Insurance (Anti-Money Laundering and Combating Financing of Terrorism) Guidelines.
These guidelines stipulate mandatory submission of independent AML/CFT audit reports of the AML/CFT program to the IRA by 31 January each year, as outlined in Paragraph 11(3).
Reporting institutions, as defined in the IRA Guidance, encompass any person or entity conducting underwriting and placement of life insurance and other investment-related insurance, including underwriters and insurance intermediaries.
Who Can Perform the Audits: Internal vs. External Providers
The independent review must be conducted by competent professionals possessing appropriate AML/CFT/CPF skills, knowledge, and experience, ensuring the assessment is undertaken with due skill, care, and diligence, free from actual or potential conflicts of interest.
Internal Reviewer: AML/CFT Program audit for insurance may be performed by staff from a separate independent line of defence, such as internal audit or compliance functions not involved in AML/CFT/CPF activities. Specifically, such staff should not participate in ML/TF/PF risk assessments, program development, or implementation. Eligible internal reviewers must have their responsibilities explicitly incorporated into job descriptions.
However, certain roles are ineligible, including the Money Laundering Reporting Officer (MLRO), Group MLRO (where applicable), risk management officers, or frontline employees involved in marketing, underwriting, or claims processing.
Outsourced/third-party reviewer: When selecting a third-party provider for AML/CFT program audit for insurance, institutions should evaluate candidates based on the nature and complexity of their business. Some of the key considerations include:
- Relevant qualifications, such as certifications in AML/CFT or auditing
- Sound knowledge of Kenyan AML/CFT/CPF laws, regulations, and FATF standards.
- A strong understanding of the insurance sector’s operational context, including products, customer base, geographies, and delivery channels.
- A proven audit methodology.
Coverage: Scope of AML/CFT Program Audit for Insurance
The scope of AML/CFT Program Audit for Insurance is risk-based, proportionate to the institution’s nature, scale, complexity, transaction types, volume, and compliance history. Drawing from established guidance, the review typically covers the following core areas, among others:
- AML/CFT/CPF governance structure, policies, and procedures
- Existence, adequacy, and effectiveness of customer due diligence measures:
- Appropriateness of AML/CFT/CPF risk assessment
- Transaction monitoring and reporting processes and systems
- Adequacy of the AML/CFT/CPF training program
- Appropriateness of record-keeping procedures
Additionally, the review incorporates follow-up on prior findings.
Next Steps
AML/CFT Program Audit Readiness: To ensure a successful review, institutions should prioritize readiness by defining clear objectives (routine or targeted), establishing a detailed review plan (including methodology and prior audit reviews), and compiling essential documents in advance.
Internal or external reviewer with emphasis on independence and competence. For internal reviews, confirm eligibility; for external, conduct due diligence on qualifications and methodology.
Reporting: Upon completion, the reviewer issues a formal report to the board and senior management. The principal officer develops a remedial action plan addressing deficiencies, with timelines and responsibilities.
Board Presentation: The report, management comments, and action plan are presented to the board for discussion and sign-off. Progress on implementation is monitored regularly by senior management, with updates to the board.
Report Submission to the IRA: Submit the report to the IRA within 30 days of receipt, but no later than 31 January annually. Reviews should occur at least annually, or more frequently if triggered by changes.
This article serves as a general guide to AML/CFT Program Audit in the Insurance Sector. For tailored advisory or AML/CFT audit services, contact FNJ & Associates.