Money laundering risk assessment in Kenya is a requirement for reporting institutions under regulation 7 of the Proceeds of Crime and Anti-Money Laundering Regulations (POCAMLR).
As per the regulation, every reporting institution must conduct risk assessments to identify, assess, understand, monitor, manage, and mitigate risks associated with money laundering (ML), terrorism financing (TF), and proliferation financing (PF).
Reporting institutions are obligated to update their money laundering risk assessment policies or programs regularly but at least once every two years considering changes such as new markets entry and introduction of new products and services. Commercial banks and mortgage finance institutions are required to submit a money laundering risk assessment report to the Central Bank of Kenya by 31 December of each year.
For purposes of this article, money laundering risk assessment has the meaning of ML/TF/PF risk assessment.
Reporting Institutions in Kenya
Section 2 of the Proceeds of Crime and Anti-Money Laundering Act, 2009 (POCAMLA), categorizes reporting institutions into financial institutions or Designated Non-Financial Businesses and Professions (DNFBPs). The supervisory bodies (in bold) and the respective reporting institutions are;
- Central Bank of Kenya: Commercial banks, mortgage finance institutions, microfinance institutions, foreign exchange bureaus, money remittance providers, digital credit providers, and payment service providers.
- Capital Markets Authority: Stock brokers, investment banks, fund managers, investment advisers, non-dealing online foreign exchange brokers, online foreign exchange money managers, and REIT managers.
- Insurance Regulatory Authority: Life insurance brokers, providers, and agents.
- Retirement Benefits Authority: Fund managers.
- Sacco Societies Regulatory Authority: Deposit-taking SACCOs and non-withdrawable deposit-taking SACCOs.
DNFBPs are supervised by bodies such as the Estates Agents Registration Board (real estate agencies), Betting Control and Licensing Board (casinos), Ministry of Mining (dealers in precious metals/stones), Institute of Certified Public Accountants of Kenya (accountants), Institute of Certified Secretaries of Kenya (trust and company service providers), and Law Society of Kenya (advocates, notaries, independent legal professionals).
Identification of ML/TF/PF Risks
In performing a money laundering risk assessment on Kenya, the initial phase involves categorizing risks into ML, TF, and PF buckets. For each, identify inherent risks stemming from various sources. For instance:
- Customer Types: High-risk clients might include politically exposed persons (PEPs), non-residents from high-risk jurisdictions, or entities with complex ownership structures.
- Products, Services, and Transactions: Complex products like trade finance or virtual assets may heighten risks; high-value wire transfers could indicate TF.
- Countries or Geographic Areas: Exposure to FATF-grey-listed countries or regions with weak AML regimes, such as neighboring conflict zones, amplifies threats.
- Delivery Channels: Non-face-to-face channels like online banking or mobile apps increase vulnerability to identity fraud.
- Other Qualitative Factors: Internal factors like staff training gaps or external ones like economic instability.
Document root causes (e.g., weak customer due diligence) and potential consequences (e.g., regulatory fines or reputational damage). Ensure alignment with Kenya’s National Risk Assessment (NRA), which highlights sectoral vulnerabilities.
Risk Measurement
Institutions must gather quantitative and qualitative data to evaluate identified risks. This could involve analyzing transaction data, customer profiles, and external intelligence from sources like the FRC or FATF reports.
Quantify inherent risks by assessing likelihood (probability of occurrence) and impact (severity if realized) on a predefined scale, such as 1-3 (Low-Medium-High) or 1-5 for greater granularity. The aggregate inherent risk is typically the product: e.g., a risk with high likelihood (3) and medium impact (2) yields a score of 6, classified as medium-high per the institution’s matrix. Customize the framework to the entity’s size and complexity; larger institutions might use advanced analytics or AI for data processing.
Control Evaluation
Identify existing controls, including AML policies, transaction monitoring systems, customer due diligence (CDD) procedures, and sanctions screening. Controls should be risk-based: enhanced due diligence (EDD) for high-risk scenarios (e.g., detailed source-of-funds verification for PEPs), while simplified measures suffice for low-risk retail customers, without compromising mandatory PF sanctions.
Evaluate control effectiveness through self-assessments, involving cross-functional teams. Use a qualitative scale like “Weak” (ineffective), “Fair” (partially effective), “Satisfactory” (adequate), or “Strong” (robust). Independent validation by internal audit, external auditors, or consultants ensures objectivity, with findings reported to senior management and the board for oversight.
Determining Residual Risks
Residual risk is the net exposure after applying controls to inherent risks. Recalculate using the same scale: in the example, a high inherent risk (3 × 3 = 9) might reduce to medium (2 × 2 = 4) post-controls like automated monitoring. Aggregate residual risks across categories to form the institution’s overall risk profile, informing strategic decisions and regulatory reporting.
Residual Risk Mitigation Plan
For elevated residual risks, develop targeted action plans. These might include upgrading IT systems for better transaction flagging, enhancing employee training on TF indicators, or revising policies for new products. Assign ownership to functional leads (e.g., compliance officers) with clear timelines, budgets, and KPIs. Monitor progress quarterly, escalating delays to the board.
Risk Assessment Coordination
This collaborative process requires defined roles:
- Compliance Function or Consultant: Typically leads the assessment, distributes questionnaires to departments, verifies data integrity, aggregates results, and prepares reports for escalation. They also integrate feedback from external sources like FRC advisories.
- Assurance Partners: Internal and AML audit consultants conduct independent reviews, testing control efficacy through sampling and simulations, sharing detailed reports with leadership.
- Senior Management: Oversees framework implementation, refines data collection (e.g., via dashboards), and drives mitigation actions, ensuring dissemination to staff and regulators if required.
- Board: Approves the risk framework, reviews periodic results (e.g., quarterly), allocates resources (e.g., budget for AML software), and endorses management recommendations, fostering a top-down compliance culture.
ML/TF/PF Risk Assessment Reporting
The compliance team should deliver detailed reports to senior management and the board at defined intervals, such as quarterly for high-risk institutions. Reports should segment risks by dimensions (e.g., by product line or geography), compare inherent vs. residual risks, evaluate control gaps, and outline mitigation roadmaps with progress updates. Visual aids like heat maps or dashboards enhance clarity, supporting informed governance and regulatory submissions.
By embedding these detailed practices, reporting institutions in Kenya can not only comply with POCAMLR but also proactively safeguard against ML/TF/PF threats, bolstering operational resilience and stakeholder trust.
This article provides a general guide to performing money laundering risk assessment in Kenya. For tailored advice, consult with compliance experts at FNJ Associates.