On 14 June 2025, President William Ruto signed the Anti-Money Laundering and Combating of Terrorism Financing and Proliferation Financing (Amendment) Act, 2025 into law. For most advocates, it was just another headline. Another regulatory update to skim past.
But this one is different.
So let me walk you through what’s actually happened, what the law actually says, and what you need to do about it. No panic. Just facts.
First, Understand Why This Is Happening
The 2025 amendments didn’t come out of nowhere. They’re the direct result of international pressure that has been building for years.
In February 2024, the Financial Action Task Force (FATF) placed Kenya on its "grey list" the list of jurisdictions under increased monitoring for strategic deficiencies in their anti-money laundering frameworks. The FATF identified specific weaknesses: insufficient prosecution of money laundering offences, weak supervision of vulnerable sectors (including lawyers), and gaps in beneficial ownership disclosure (FATF, Jurisdictions under Increased Monitoring, June 2025).
Then on 10 June 2025—just four days before the Act was signed—the European Commission formally added Kenya to the EU’s list of high-risk third countries for AML/CTF deficiencies (AMG Advocates, “Reporting Obligations under POCAMLA and PTA in Kenya,” October 2025). That’s not a symbolic gesture. It means European banks and financial institutions must apply enhanced due diligence to any transactions involving Kenya. The commercial pressure is real.
As of February 2026, Kenya remains on the FATF grey list. The government is targeting an exit by May 2026.
The Law Firm as a "Reporting Institution"
Here’s something I need to be upfront about, because there's a lot of confusion on this point: the classification of lawyers as Designated Non-Financial Businesses and Professions (DNFBPs) under POCAMLA is not a 2025 invention.
Kenya has been trying to bring lawyers into the AML framework since at least 2007. There were further attempts in 2018 and 2019, all of which faced resistance from the legal profession on the grounds of advocate-client privilege.
The first successful legislative inclusion came through the POCAMLA (Amendment) Act, 2021 (assented to on 3 January 2022), which amended Section 48 to include advocates, notaries, and other independent legal professionals as reporting entities for specified financial transactions.
That amendment was immediately challenged in court. In Mwaura Kabata v. Hon. Attorney General & Others (High Court Petition No. E005 of 2022), Justice J.A. Makau issued conservatory orders stopping the operationalisation of the relevant provisions, citing the erosion of advocate-client privilege.
A compromise was reached through the 2023 AML/CFT amendments. Under this framework, the Law Society of Kenya (LSK) was designated as a self-regulatory body, creating a buffer between individual advocates and the FRC. Lawyers report through the LSK, and advocate-client privilege was ringfenced.
So the 2025 amendments are strengthening and expanding an existing framework - not creating one from scratch. If you’re only hearing about this now, you’re already behind. But you’re not too late.
What Actually Triggers Your Obligations
This is the part that matters most to partners running a practice. Your reporting obligations under Section 48 of POCAMLA are not triggered by everything your firm does. They’re triggered by specific transactional activities:
Buying and selling of real estate (conveyancing, property transfers).
Managing client money, securities, or other assets anything moving through your Trust Account.
Management of bank, savings, or securities accounts on behalf of a client.
Organisation of contributions for the creation, operation, and management of companies.
Creation, operation, or management of legal persons or arrangements, and buying and selling of business entities.
Notice what’s not on that list: litigation. The giving of legal advice. Representation in court proceedings. As the FRC’s own Director General, Saitoti ole Maika, has publicly stated: “The reporting obligations for lawyers only apply when they carry out specified financial transactions” (Nation, “Role of lawyers in curbing money laundering,” 2020).
This distinction is critical. If you’re a litigator who never handles client funds or corporate structuring, your day-to-day work is largely unaffected. But if your firm does conveyancing, trust administration, or company formation and most full service firms do you are squarely within scope.
Advocate-Client Privilege Is Preserved With Limits
I speak to partners who worry that these obligations have gutted advocate-client privilege. They haven’t. But you need to understand the boundaries.
Section 18(1) of POCAMLA explicitly states that nothing in the Act affects the relationship between an advocate and their client with regard to privileged communications. Section 18(2) limits this protection to advice given in the course of professional employment or in connection with legal proceedings. Additionally, Section 134 of the Evidence Act (Cap. 80) provides independent statutory protection.
The critical exception - and this is consistent with global practice - is that privilege does not protect communications made in furtherance of fraud or crime. The LSK Digest of Conduct and Etiquette is clear on this point.
Under the 2023 framework, suspicious transaction reports go through the LSK as a self-regulatory body, not directly to the FRC. That’s the compromise. It’s designed to protect the relationship. But it only works if lawyers actually engage with it.
PEPs, Beneficial Ownership, and the Source of Funds Question
In my fifteen years doing this work, one thing hasn’t changed: the transactions that cause problems are the ones where nobody asked the right questions at the beginning.
The 2025 amendments strengthen requirements around Politically Exposed Persons (PEPs). If your client - or the beneficial owner behind the entity you’re acting for - is a PEP, their family member, or a close associate, you must apply Enhanced Due Diligence (EDD).
Beneficial ownership verification is also tightened. You need to identify the actual natural person who ultimately owns or controls the client entity. The ESAAMLG’s 2022 Mutual Evaluation Report specifically flagged Kenya’s weaknesses in this area. The 2025 amendments are the legislative response.
And on the cash question: under POCAMLA, any cash transaction equivalent to or exceeding USD 15,000 (or its equivalent in any currency) must be reported to the FRC through the goAML platform, regardless of whether it appears suspicious (FRC Kenya, Compliance Page, frc.go.ke). A large cash retainer without a verified source of funds is exactly the kind of transaction that draws scrutiny. In this environment, the fee is never worth the risk to your practising certificate.
The Hushpuppi Case: Let’s Get the Facts Right
I want to address something that often comes up in these conversations. The case of United States v. Ramon Olorunwa Abbas (Case No. 2:20-CR-00322-ODW, Central District of California)—the “Hushpuppi” case—is frequently cited to show how law firms can be complicit in money laundering. But that’s not what the case actually shows.
Abbas was sentenced to 135 months in federal prison in November 2022 for conspiracy to engage in money laundering. One of his schemes involved a New York law firm. But the law firm was the victim, not a co-conspirator. According to the FBI affidavit, Abbas and his associates used a spoofed email address to trick a paralegal at the firm into wiring approximately USD 922,857—funds intended for a client’s real estate refinancing—to an account controlled by the conspirators (US Secret Service, “Nigerian National Brought to U.S. to Face Charges,” July 2020; CNN, November 2022).
This is a business email compromise (BEC) fraud. The firm didn’t knowingly provide a “veneer of legitimacy” to illicit funds. It was exploited.
Why does this matter? Because it illustrates a different but equally important risk: law firms are targets. Client accounts, conveyancing transactions, and high-value settlements make firms attractive to sophisticated criminal networks. Robust KYC and transaction verification aren’t just about regulatory compliance—they’re about protecting your firm from being used as a conduit, whether you know it or not.
Final Thoughts
The 2025 POCAMLA amendments are significant, but they’re not the earthquake some people are describing. They’re the latest step in a process that started with the original POCAMLA in 2009, intensified with the 2022 and 2023 amendments, and has been accelerated by Kenya’s FATF grey listing and the EU’s high-risk designation.
The legal profession is not being singled out. Lawyers are joining the same framework that banks, insurers, real estate agents, and accountants already operate within. The difference is that the LSK’s role as a self-regulatory body gives the profession a layer of protection that other sectors don’t have. Use it.
My work with partners over the past fifteen years has taught me that compliance is never the problem - it’s the lack of systems that creates the crisis. The firms that struggle are the ones still running client onboarding on paper forms and filing KYC documents in cabinets that no one can search when the auditor calls. The firms that sleep well are the ones where every client has a digital record, every identity verification has a timestamp, and every document is retrievable in minutes, not days.
That gap - between knowing what the law requires and actually having the infrastructure to meet it - is exactly what led us to build Sisu by Lenhac. It’s what I wish I’d had when I started advising firms on compliance a decade ago. Sisu handles the things that trip firms up in practice: digital client onboarding with built-in KYC verification, and structured document and record management that keeps you audit-ready without turning your associates into filing clerks. It’s not a generic tech platform—it’s built by people who understand compliance at a granular level, because that’s what we do every day.
I’m not saying software replaces judgment. It doesn’t. You still need to understand your client, assess the risk, and make the call. But the administrative backbone - the records, the verification trail, the ability to pull a complete client file when the FRC or your bank asks for one - that shouldn’t depend on whether someone remembered to scan a document three years ago.
Lead with transparency. Keep clean records. Ask the hard questions at intake, not after the deposit has cleared. The law is clear. The expectations are clear. The only question is whether your firm is ready.
If you want to see how Sisu works, or just want to talk through what compliance looks like for your specific practice, I’m always happy to have that conversation.
Comments (0)