KYC, KYB & AML compliance checklist
Malawi KYC, KYB & AML
An implementation checklist for customer and business verification in Malawi, covering the Financial Crimes Act, 2020 Money Laundering Regulations, targeted financial sanctions, company verification, payments and the Data Protection Act 2024.
- Reviewed
- 17 July 2026
- Version
- 1.0
- control areas
- 11
- implementation checks
- 37
Direct answer
What does the Malawi compliance checklist cover?
The Malawi checklist translates primary KYC, KYB and AML rules into 11 control areas and 37 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Primary AML/CFT law
- Financial Crimes Act (Chapter 7:07), commenced 17 February 2017
- Financial intelligence unit
- Financial Intelligence Authority (FIA)
- STR timing
- As soon as possible and no later than three days after suspicion; attempts and any amount are covered
- Large transaction reporting
- MWK 5,000,000 transaction or aggregate under the 2020 Regulations; current FIA direction controls submission timing
- Local mobile-money transfer reporting
- Each transfer above MWK 300,000 under regulation 21
- Casino CDD trigger
- MWK 2,000,000 within 24 hours for specified gaming transactions, plus entry/access identification duties
- Core AML retention
- Seven years, with the start event determined by record class
- Beneficial ownership
- Natural-person ownership/control, other control, then senior-management fallback; no universal percentage stated in the Act
- Data protection
- Data Protection Act 2024, commenced 31 May 2024; confirm live registration and incident procedures with MACRA
- FATF public lists
- Not named in FATF statements dated 19 June 2026; ESAAMLG follow-up continues
Implementation detail
Malawi compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Scope, authorities and regulated activitiesResolve entity, product, profession and supervisor scope before configuring controls.3 items+
Financial institutions and designated non-financial businesses and professions within the statutory definition are reporting institutions.
- Implementation action
- Map each entity, product, branch, profession, agent and outsourced activity to the Act and its supervisor.
- Evidence to retain
- Perimeter memorandum, entity-product matrix, licences and authority map.
- Primary citation
- Financial Crimes Act (FCA), s.2 and Second Schedule
The FIA receives and analyses reports, issues guidance and supervises compliance within its mandate.
- Implementation action
- Register required contacts and reporting access, appoint alternates and maintain a regulatory calendar.
- Evidence to retain
- FIA registration, channel access, contact register and calendar.
- Primary citation
- FCA, ss.3-6 and 23, 33
Deposit-taking, payments, remittance, e-money and other financial services require the applicable RBM authority before launch.
- Implementation action
- Obtain a written perimeter and every required RBM licence or approval before pilot or production operation.
- Evidence to retain
- RBM classification, licence, conditions, approved product map and renewal register.
- Primary citation
- Financial Services Act 2010; National Payment Systems Act; RBM licensing framework
02Governance, risk assessment and control ownershipBuild accountable controls from documented customer, product, delivery, geography and transaction risk.3 items+
Reporting institutions identify, assess, document and keep current their ML/TF risks and apply proportionate mitigation.
- Implementation action
- Approve enterprise and customer-risk methodologies, document inputs and overrides and review material change.
- Evidence to retain
- Risk assessments, methodology, ratings, approvals and remediation plan.
- Primary citation
- FCA, s.21(1)-(4); 2020 Regulations, reg.3
A written customer-acceptance policy is updated annually or on new developments and approved by the board.
- Implementation action
- Define acceptance, escalation, prohibition and exception rules and obtain annual board approval.
- Evidence to retain
- Policy, board minutes, change record and staff guidance.
- Primary citation
- 2020 Regulations, reg.18
The AML programme includes internal rules, training, compliance oversight and independent testing.
- Implementation action
- Appoint an authorised compliance officer, provide information access and test the complete lifecycle independently.
- Evidence to retain
- Appointment, charter, training, audit reports and issue tracker.
- Primary citation
- FCA, ss.27-28; 2020 Regulations, regs.30-35
03Natural-person identification and CDDIdentify and verify customers at relationship, prescribed transaction, wire, suspicion and identity-doubt triggers.4 items+
CDD is required for a relationship, prescribed occasional or wire transaction, suspicion, and doubt about earlier evidence.
- Implementation action
- Configure all five triggers and linked-transaction detection; never let a monetary threshold suppress suspicion-driven CDD.
- Evidence to retain
- Trigger matrix, aggregation logic, test cases and exceptions.
- Primary citation
- FCA, s.16(1); 2020 Regulations, reg.4
A natural person is identified through official documentation and verified using reliable, independent sources.
- Implementation action
- Capture name, address, occupation and official identity evidence; validate authenticity and screen the person.
- Evidence to retain
- Identity record, authenticity result, independent verification and screening decision.
- Primary citation
- FCA, s.16(1)-(2)(b); 2020 Regulations, regs.5-6, 10-12
Purpose, intended nature and risk-relevant source information must be understood.
- Implementation action
- Record intended products, expected activity, counterparties, geography and corroborated source information proportionate to risk.
- Evidence to retain
- Customer profile, purpose statement, expected-activity baseline and source evidence.
- Primary citation
- FCA, s.16(2)(a)-(b); 2020 Regulations, reg.11
Deferred verification is exceptional and allowed only where prompt completion and effective risk management are assured.
- Implementation action
- Apply restrictions, a short completion deadline and escalation; do not treat deferral as routine onboarding.
- Evidence to retain
- Exception approval, rationale, restrictions and completion timestamp.
- Primary citation
- FCA, s.16(7); 2020 Regulations, reg.10(2)-(3)
04KYB, authority and beneficial ownershipVerify legal existence, representatives and the natural persons who ultimately own or control the customer.4 items+
Legal-person CDD covers name, legal form, existence, binding powers, senior management, registered office, ownership and control.
- Implementation action
- Obtain current CRIPC evidence and constitutive documents and reconcile directors, addresses, mandates and ownership.
- Evidence to retain
- Registry extract, constitution, directors, address, licence and discrepancy log.
- Primary citation
- FCA, s.16(2)(c); 2020 Regulations, regs.8-9, 13-15
A person acting for another customer must have verified authority and identity.
- Implementation action
- Verify each representative separately and validate the mandate before permitting activity.
- Evidence to retain
- Identity file, mandate, board authority and verification result.
- Primary citation
- FCA, s.16(9)(b); 2020 Regulations, reg.16
Beneficial-owner analysis follows natural-person controlling ownership, control through other means and senior-management fallback.
- Implementation action
- Trace every ownership layer, test non-ownership control and document why any senior-manager fallback was necessary.
- Evidence to retain
- Ownership chart, registry evidence, control analysis, BO KYC and fallback rationale.
- Primary citation
- FCA, ss.2 and 16(3)-(4)
Trust CDD identifies the settlor, trustee, protector if any, beneficiaries or class and every other natural person exercising ultimate effective control.
- Implementation action
- Verify the trust instrument, roles, powers, control chain and relevant natural persons.
- Evidence to retain
- Trust deed, role register, powers analysis and verified identity files.
- Primary citation
- FCA, s.16(5)-(6); 2020 Regulations, regs.8, 13
05PEPs, enhanced due diligence and remote onboardingHigher-risk and politically exposed relationships require accountable approval and stronger evidence.4 items+
Systems determine whether a customer or beneficial owner is a PEP and extend reasonable measures to family and close associates.
- Implementation action
- Screen before activation and continuously, resolve matches and preserve reliable role and relationship evidence.
- Evidence to retain
- Screening, match decision, role evidence and relationship analysis.
- Primary citation
- FCA, ss.2 and 16(2)(d); 2020 Regulations, reg.7
PEP relationships require senior-management approval, source-of-wealth and source-of-funds measures and enhanced ongoing monitoring.
- Implementation action
- Corroborate source evidence, record approval before starting or continuing and configure enhanced monitoring.
- Evidence to retain
- Source file, approval, monitoring plan and reviews.
- Primary citation
- FCA, s.16(2)(d)
High risk receives enhanced CDD; simplified measures require substantiated lower risk.
- Implementation action
- Define standard, enhanced and simplified control sets with eligibility rules and prohibited overrides.
- Evidence to retain
- Risk-control matrix, rationale, approvals and override log.
- Primary citation
- FCA, s.21(5)-(6); 2020 Regulations, regs.3-4
Non-face-to-face relationships receive the same identification, verification and monitoring standards as face-to-face relationships; the Act's non-resident limitation must be assessed.
- Implementation action
- Confirm legal eligibility, then use document-integrity, presence, independent-data, device and fraud checks proportionate to risk.
- Evidence to retain
- Eligibility memo, remote standard, test results, fraud logs and exceptions.
- Primary citation
- FCA, s.16(8)
06Failed CDD, monitoring and suspicious reportingBlock unsafe activity, monitor continuously and report suspicion promptly and confidentially.5 items+
If satisfactory identity evidence is unavailable, do not open, start or transact; submit an STR within three days and do not proceed unless FIA directs.
- Implementation action
- Route failed CDD to block and confidential reporting review without alerting the customer.
- Evidence to retain
- Failure reason, block, STR, submission receipt and FIA direction if any.
- Primary citation
- FCA, s.19; 2020 Regulations, reg.4(3)-(4)
Ongoing monitoring tests activity against customer knowledge, business, risk and source information and keeps records current.
- Implementation action
- Configure risk-based refresh, event triggers and transaction monitoring; investigate deviations.
- Evidence to retain
- Refresh schedule, triggers, scenarios, alerts, cases and updated CDD.
- Primary citation
- FCA, s.29; 2020 Regulations, regs.19(5), 24
Suspected or confirmed transactions and attempted transactions connected to an offence are reportable regardless of amount.
- Implementation action
- Escalate immediately, preserve the suspicion timestamp and submit a complete STR to FIA.
- Evidence to retain
- Internal report, analysis, STR, receipt and case timeline.
- Primary citation
- FCA, s.23(1)-(2); 2020 Regulations, reg.29
An STR is due as soon as possible and no later than three days after suspicion, wherever possible before execution.
- Implementation action
- Use a shorter internal SLA measured from the documented formation of suspicion.
- Evidence to retain
- Suspicion timestamp, approval, submission timestamp and SLA monitoring.
- Primary citation
- FCA, s.23(1)
Tipping off and unauthorised disclosure of reports or suspicion are prohibited; reporting overrides inconsistent secrecy duties subject to legal privilege.
- Implementation action
- Restrict case access, control customer communications and train staff on permitted disclosures.
- Evidence to retain
- Access logs, communication plan, training and disclosure register.
- Primary citation
- FCA, ss.24-26 and 32
07Threshold reports, wires and sector triggersKeep CDD, STR and prescribed threshold-reporting duties separate.4 items+
Transactions or aggregate transactions of at least MWK 5,000,000 require the prescribed large-currency or electronic-transfer report, with timing guided by FIA.
- Implementation action
- Aggregate accurately, apply current FIA formats and timing and submit an STR separately where suspicion exists.
- Evidence to retain
- Threshold configuration, aggregation tests, report, FIA receipt and linked STR decision.
- Primary citation
- FCA, s.33; 2020 Regulations, reg.28
Local mobile-money or similar local transfer reporting applies to each transfer above MWK 300,000; domestic and international electronic transfers also fall within regulation 21.
- Implementation action
- Confirm current FIA file specifications and configure the correct transfer populations without treating the threshold as a CDD safe harbour.
- Evidence to retain
- Scope memo, transfer rules, test cases, submissions and receipts.
- Primary citation
- 2020 Regulations, reg.21
Electronic transfers carry complete originator and beneficiary information; deficient transfers require risk-based execution, rejection or suspension and reporting controls.
- Implementation action
- Validate required fields through the chain, hold deficient messages and monitor persistent counterpart failures.
- Evidence to retain
- Field matrix, validation, repair/reject queue, monitoring and samples.
- Primary citation
- FCA, s.28; 2020 Regulations, reg.20
Casinos identify customers at entry or remote access and apply the MWK 2,000,000 24-hour transaction triggers specified in regulation 17.
- Implementation action
- Aggregate chips, gaming-machine and remote-gaming activity per customer over 24 hours and retain identification records.
- Evidence to retain
- Access record, aggregation, identity file and test results.
- Primary citation
- 2020 Regulations, reg.17
08Targeted financial sanctionsImplement current UN and domestic designations without delay and without prior notice.2 items+
Reporting institutions screen against current domestic and United Nations designation lists and must not make funds or services available to designated persons.
- Implementation action
- Screen customers, beneficial owners, representatives, counterparties and transactions at onboarding and on list change.
- Evidence to retain
- List provenance, screening logs, population reconciliation and match decisions.
- Primary citation
- Financial Crimes (Suppression of Terrorist Financing and Proliferation) Regulations 2017, regs.8-12
Property of a designated person is frozen without delay and the competent authority is notified using the current procedure.
- Implementation action
- Maintain a 24/7 escalation path, validate matches, block access without notice and contact FIA for the live reporting route.
- Evidence to retain
- Match analysis, freeze timestamp, asset inventory, report and receipt.
- Primary citation
- 2017 TFS Regulations, regs.11-12
09Records, access and assuranceRetain reconstructable evidence for the correct seven-year clock and make it promptly available.3 items+
Identity, transaction, correspondence, FIA reports, unreported investigations and FIA enquiries are retained for at least seven years under class-specific clocks.
- Implementation action
- Map each record class to its statutory start event, legal hold and deletion control.
- Evidence to retain
- Retention schedule, system configuration, samples, legal holds and deletion tests.
- Primary citation
- FCA, s.22; 2020 Regulations, reg.19
Records must reconstruct transactions and be immediately available to FIA and competent authorities.
- Implementation action
- Index linked CDD, transaction, investigation and report evidence and test retrieval.
- Evidence to retain
- Request register, retrieval tests, access control and response package.
- Primary citation
- FCA, s.22(3)-(5)
Reliance on a third party does not transfer ultimate CDD responsibility.
- Implementation action
- Assess supervision and country risk, obtain core information immediately and contract for documents without delay.
- Evidence to retain
- Due diligence, agreement, document tests, monitoring and exit plan.
- Primary citation
- FCA, s.17
10Privacy, biometrics and transfersApply the Data Protection Act 2024 alongside AML retention and disclosure duties.3 items+
Personal data needs a documented lawful basis, specified purpose, proportionate collection, accuracy, security and governed retention.
- Implementation action
- Maintain a data inventory and notices, minimise onboarding fields and reconcile AML retention with privacy deletion rules.
- Evidence to retain
- Inventory, lawful-basis record, notices, retention map, access and deletion logs.
- Primary citation
- Data Protection Act 2024
Biometric and other sensitive verification data require heightened necessity, access, security and vendor controls.
- Implementation action
- Complete a documented privacy and security assessment before biometric processing and preserve consent or another applicable legal condition.
- Evidence to retain
- Assessment, legal condition, template controls, access logs and vendor assurance.
- Primary citation
- Data Protection Act 2024
Security incidents and international transfers must follow the Act and current MACRA procedures.
- Implementation action
- Confirm live notification, registration and transfer mechanics with MACRA; maintain incident and transfer playbooks without inventing deadlines not verified in the official text.
- Evidence to retain
- MACRA confirmation, incident register, transfer map, contracts and assessments.
- Primary citation
- Data Protection Act 2024; Government Notice 40 of 2024
11Practical evidence packs and change controlMake every decision reconstructable and keep time-sensitive rules current.2 items+
A complete customer file links identity, KYB, ownership, screening, risk, approval, monitoring and reporting decisions.
- Implementation action
- Block activation when mandatory evidence or approval is missing and preserve the release decision.
- Evidence to retain
- Control checklist, linked case file, approvals and release log.
- Primary citation
- FCA, ss.16-23; 2020 Regulations
Thresholds, report channels, sanctions lists, FATF status, licensing conditions and privacy procedures require ongoing legal monitoring.
- Implementation action
- Assign owners and review FIA, RBM, CRIPC, MACRA, Gazette, FATF and ESAAMLG sources on a governed schedule.
- Evidence to retain
- Legal inventory, source log, change assessments and implementation tickets.
- Primary citation
- Official sources listed below

11 control areas and 37 implementation checks, with direct regulatory sources.
Download the Malawi KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Malawi implementation checklist. Regulatory review date: 17 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.0, reviewed 17 July 2026
Trusted by leading compliance teams
Primary-source register
13 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Financial Crimes Act (Chapter 7:07)Malawi Gazette text via MalawiLII · Primary legislation reproduction
- Financial Crimes (Money Laundering) Regulations, 2020Malawi Gazette text via MalawiLII · Primary regulations reproduction
- Financial Crimes (Money Laundering) (Amendment) Regulations, 2020Malawi Gazette text via MalawiLII · Primary regulations reproduction
- Financial Crimes (Suppression of Terrorist Financing and Proliferation) Regulations, 2017Malawi Gazette text via MalawiLII · Primary regulations reproduction
- Financial Services ActMalawi Gazette text via MalawiLII · Primary legislation reproduction
- Reserve Bank of MalawiReserve Bank of Malawi · Official regulator
- Companies Registrations and Intellectual Property CentreCRIPC · Official company registry
- CRIPC services and beneficial-ownership updatesCRIPC · Official registry guidance
- MACRA confirmation of the Data Protection Act, 2024MACRA · Official regulator confirmation
- Data Protection Act, 2024: CommencementMalawi Gazette text via MalawiLII · Primary commencement notice reproduction
- Malawi fourth enhanced follow-up report, April 2024ESAAMLG · Authoritative regional assessment
- Jurisdictions under Increased Monitoring - 19 June 2026FATF · Authoritative public statement
- High-Risk Jurisdictions subject to a Call for Action - 19 June 2026FATF · Authoritative public statement
Direct answers
Malawi KYC, KYB and AML questions
Who receives suspicious transaction reports in Malawi?+
The Financial Intelligence Authority. Use the current FIA-prescribed form and channel.
When is an STR due?+
As soon as possible and no later than three days after suspicion is formed, wherever possible before the transaction; attempts and any amount are covered.
What is the general large-transaction reporting threshold?+
The 2020 Regulations specify MWK 5,000,000 per transaction or aggregate for prescribed large-currency and electronic-transfer reports. Confirm current FIA formats and filing timing.
Does Malawi use one beneficial-ownership percentage for AML CDD?+
No universal percentage is stated in the cited Act. Identify natural persons through controlling ownership, other control and, only when necessary, senior-management fallback.
How long are core AML records kept?+
At least seven years, with the start event depending on the record class and relationship or transaction event.
Are financial services automatically permitted after company registration?+
No. Company registration does not replace RBM or other sector licensing and approval.
How should sanctions matches be handled?+
Validate urgently, freeze designated property without delay and use the current competent-authority reporting procedure without tipping off the affected party.
Does the Data Protection Act apply to identity verification?+
Yes where personal data is processed. Document purpose and lawful basis, minimise data, secure it, govern retention and confirm sensitive-data and transfer procedures with MACRA.
Is Malawi on a FATF public list?+
Malawi was not named in FATF's public statements dated 19 June 2026. ESAAMLG follow-up is a separate peer-review process.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 17 July 2026 · Version 1.0
This checklist is general regulatory information, not legal advice or a licence determination. It reflects sources reviewed on 17 July 2026. Confirm current Gazette amendments, FIA directives and report channels, RBM licensing conditions, CRIPC filing mechanics and MACRA data-protection procedures with Malawian counsel and the competent authority before launch. Monetary reporting thresholds, AML beneficial-ownership analysis and company-registry disclosures are distinct. VOVE ID supports evidence collection and audit trails; the reporting institution remains responsible for acceptance, reporting, freezing and compliance decisions.