Keep a Risk Based Customer Due Diligence and Internal Controls File

This article is prepared for internal business compliance planning. It is general legal information and does not determine whether a particular company is legally a reporting person. It also does not replace legal advice on licensing, suspicious transaction reporting or a specific supervisory inspection.

Customer due diligence is sometimes treated as a form to be completed at onboarding and then forgotten. That approach is increasingly difficult to defend. A regulated business in Rwanda should be able to show, from a single file, how it identifies customers, verifies beneficial owners, screens higher risk transactions, escalates suspicious activity, trains staff, keeps records and responds to supervisory requests. In a real inspection, the question is rarely whether a policy exists somewhere. The harder question is whether the business can prove that the policy works in practice.

Why the issue matters now

Law No. 001/2025 of 22/01/2025 replaced Rwanda’s 2023 AML/CFT law and sets out preventive measures for money laundering, terrorist financing and proliferation financing. The law is important for businesses that fall within the category of reporting persons, including financial institutions and other regulated service providers. Its practical message is clear. A business should not wait for an inspection before assembling its customer due diligence, record keeping and internal control evidence.

The new legal framework appears to place strong emphasis on risk awareness. That matters because not every customer, product or transaction carries the same level of concern. A small recurring customer with ordinary payment behaviour is different from a newly formed company with unclear ownership, unusually large transactions or links to higher risk geographies. A risk based approach asks the business to notice those differences and to record how it responded.

Confirming whether the business is covered

The first compliance task is to assess whether the business is a reporting person under the law. Article 8 introduces reporting persons, and management should not assume the answer without checking the company’s licence, activities, customers and services. This assessment should be written down. Even where the business concludes that it is not directly covered, it may still work with banks, payment providers or other regulated partners that require customer due diligence evidence as a condition of doing business.

A reporting person assessment memo is useful because it records the reasoning behind management’s conclusion. It should identify the business activity, the relevant licence or registration status, the services offered, the customer base and the reason management believes the AML/CFT framework applies or does not apply. This memo should be reviewed when the business launches a new product, enters a new market, appoints an agent, changes ownership or begins serving higher value customers.

Customer due diligence as evidence

The core file should contain customer due diligence and beneficial owner records. Those records should show how the business identifies customers, verifies identity, records the purpose of the relationship and identifies the natural persons who ultimately own or control a customer. For companies, associations or other legal arrangements, this can require more than collecting a registration certificate. The business may need to understand who stands behind the entity and whether the structure makes commercial sense.

Enhanced due diligence should be triggered where the risk is higher or where there are reasonable grounds to suspect money laundering, terrorist financing or proliferation financing risk. In everyday terms, the business should be cautious where payments are unusually large for the customer profile, where ownership explanations are vague, where a customer resists providing basic documents or where a transaction has no clear business purpose. The file should not merely say that enhanced measures were taken. It should record the concern, the information requested, the decision made and any senior management approval.

Reliance on third parties and internal controls

Some businesses rely on agents, partners, platforms or other institutions to collect information. That may be practical, but it is not a complete defence if required due diligence is missing. The business should verify that the third party actually obtained the necessary documents and should retain evidence that can be produced when requested. A partner’s assurance is useful, but it is weaker than a clear record of what was collected, when and by whom.

Article 29 requires reporting persons to implement internal control programmes with regard to the risks identified. Internal controls should therefore be visible. The file should include the AML/CFT policy, approval record, appointed responsible officer, staff training register, review dates and evidence that staff understood the procedures. Training should not be treated as a one time classroom exercise. A cashier, sales officer or relationship manager may be the first person to notice unusual behaviour. If that person does not know how to escalate the concern, the written policy may have little practical value.

Inspection readiness

Supervisory authorities may inspect reporting persons, compel production of information and impose administrative sanctions, including financial sanctions or licence restriction, suspension or withdrawal. That enforcement possibility gives record keeping a practical urgency. A business should maintain a record retention and inspection response folder containing due diligence records, transaction records, supervisory correspondence and information production logs. The folder should be indexed so that the business can respond quickly rather than searching through email accounts after a formal request arrives.

Red flags should trigger immediate review. Customers should not be onboarded before identity, ownership and purpose are documented. High value payments should not be accepted without explanation where risk indicators exist. Staff should not rely only on commercial familiarity with a customer where formal records are missing. Supervisory letters and inspection notes should not be handled informally. Each of these practices may appear harmless when business is moving quickly, but together they can suggest that the company does not control its financial crime risk.

Practical conclusion

For regulated businesses in Rwanda, the safer habit is to build one risk based customer due diligence and internal controls file before anyone asks for it. The file should show coverage assessment, customer identification, beneficial ownership checks, risk escalation, training, record retention and inspection response. This may feel administrative, but it is really a form of business protection. It helps management understand its customers, respond to supervisory questions and show that AML/CFT compliance is part of daily operations rather than an emergency exercise.

Source note. This article is based on Law No. 001/2025 of 22/01/2025 on the prevention and punishment of money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction, especially Articles 8, 9, 12, 13, 18, 19, 28, 29 and 43, together with official Rwanda legal information and publication materials.