Regulations dive

KYC in Rwanda: What you need to know while verifying users

May 18, 2023
5 min read

Chandrika Mahapatra

KYC Content Specialist uqudo

Did you know that Rwanda is home to more than 75 fintechs? With the Rwandan government taking numerous steps to enhance economic growth, the Central African country has seen numerous strides in the adoption of a digitised infrastructure in recent years. 

On its path to becoming one of Africa’s innovation hotspots, Rwanda ranks eighth among start-up ecosystems in the Middle East and Africa and fourth in all of Africa, with Kigali placing fourteenth among regional cities, according to the 2022 Global Startup Ecosystem Index.

With this rapid advancement of technology, identity verification in Rwanda has gone largely digital in recent times. This in turn has increased financial crimes such as identity theft, scams and tax evasion. Recently, a commercial bank in Rwanda lost $10.3b due to fraudulent customer withdrawals. 

To fight against these financial crimes, the Rwandan government has implemented numerous AML/CFT measures. These regulations make it necessary for companies to implement comprehensive customer identification and risk assessment to mitigate risks.

Who is the financial regulator in Rwanda?

The National Bank of Rwanda (BNR) is the regulator of financial institutions in Rwanda, complying with the FATF (Financial Action Task Force), OFAC (Office of Foreign Assets Control) and ESAAMLG (Eastern and Southern Africa Anti-Money Laundering Group) guidelines. BNR is responsible for maintaining monetary stability, promoting Rwanda’s financial system and overseeing organisations’ compliance with regulatory requirements. Along with supervising the financial sector, the National Bank of Rwanda also plays a key role in promoting financial inclusion in the country. 

The BNR regulates all types of financial institutions in the country, including:

  • Commercial banks
  • Microfinance institutions
  • Insurance companies
  • Pension funds
  • Capital markets participants, such as stockbrokers and investment firms
  • Payment service providers, including mobile money operators and electronic payment systems.

Rwanda’s AML/CFT law, which came into effect in 2020, makes it mandatory for companies to establish preventive measures against money laundering and terrorism financing. Along with this, the NBR issues regulations and guidelines on AML/CFT, which have to be strictly adhered to.

Rwanda’s Financial Intelligence Centre, also established in 2020, is responsible for overseeing financial institutions’ compliance with AML/CFT laws. It also analyses Cash Transaction Reports (CTRs) and Suspicious Activity Reports (STRs) to help identify and combat money laundering and terrorism financing. It guides entities on AML/CFT compliance and also cooperates with law enforcement agencies that implement these regulations. 

How are customers identified in Rwanda?

Financial institutions in Rwanda need to comply with AML/CFT regulations that mandate verifying the identities of their customers. This is done by:

1. Customer Identification

The first step in the identity verification process is to establish the identity of the user. This is done using identity documents such as the Rwandan ID card or passport, to verify the name, date of birth, address and nationality. This information is then verified by checking against government databases.

2. Customer Screening

After verifying the identity of a customer, the next step is to asses their past financial behaviour and screen them against Sanctions, PEPs and Adverse Media list. This also includes assessing and evaluating their customer risk profiles.

3. Ongoing Monitoring

Once a customer has been identified and onboarded to a digital platform, the identity verification is still not over. It is very important to continuously monitor the user’s risk profile to keep track of changing risk values.

Rwanda’s National ID database

Rwanda’s national ID database established by the National Identification Authority (NIDA) is the centralised database of all Rwandan citizens. This national ID can be used for numerous purposes, including:

  • Obtaining passports
  • Opening bank accounts
  • Voting
  • International travel to Uganda and Kenya

Issued to Rwandans above 16, the ID card contains the following information:

  • Name
  • Date of birth
  • Gender
  • Address
  • Nationality
  • Biometric data
  • National ID number

What are the KYC requirements in Rwanda?

The National Bank of Rwanda (BNR) issued the Law on Prevention and Punishment of Money Laundering and Financing of Terrorism in 2020, which makes it necessary for companies to comply with KYC/AML protocols to protect their customers.

Under this, all financial institutions and regulated entities are required to collect the following information from their customers:

  • Name
  • Date of birth
  • Address
  • Nationality
  • Identification number
  • Occupation

Financial institutions also have to verify the information collected from their customers. This has to be done by checking the customer’s identification documents or by conducting a background check.

Along with a comprehensive KYC, financial institutions in Rwanda have to screen their customers for potential money laundering and terrorism financing risks, which is described in detail in the next section.

Screening customers in Rwanda

Once a potential customer has been identified, the next step is to screen them against comprehensive sanction lists. Rwanda’s AML/CFT law consists of numerous measures to prevent money laundering and terrorism financing, which include:

  • Customer due diligence: Financial institutions are mandated to collect information about all their customers, including identity, address and source of funds.
  • Reporting suspicious activity: All institutions are required by law to report any suspicious activity to the Financial Intelligence Unit.
  • Record-keeping: Financial institutions are required to keep records of all their transactions for a period of five years.

The AML/CFT law also establishes a number of penalties for non-compliance. These penalties can include fines, imprisonment, or both.

While complying with these regulations, financial institutions are required to screen their customers against the following lists:

1. Sanction list

Sanction lists are those lists published by government and international authorities and contain official lists of names of those engaged in criminal activity. A few examples are;

  • Financial Action Task Force (FATF) grey and black lists
  • United Nations Sanction List
  • Office of Foreign Assets Control (OFAC) Sanctions List
  • Eastern and Southern Africa Anti-Money Laundering Group (ESAAMLG) List
  • Money laundering lists
  • Terrorist financing lists
  • Drug trafficking lists
  • Human rights violations lists
2. PEPs

PEPs (Politically Exposed Persons) are those individuals with prominent leadership roles in international organizations or high-profile government positions. They typically pose a greater danger to companies because of their influence over governmental and/or international agencies.

PEP screening refers to identifying these individuals ad evaluating their risk profiles during their onboarding process.

3. Adverse Media Lists

Adverse media screening refers to identifying potentially damaging information about individuals in the news and other data sources. This helps companies identify potential risks such as money laundering, terrorist financing, tax evasion and corruption, thereby protecting their reputation.  

Authentication of users in Rwanda

Once users are identified and screened, they can access products on a platform. For this, they need to be authenticated, in order to gain access to secure systems. Some methods to authenticate users are:

1. Passwordless login

This method of authenticating users verifies identities without requiring any password. It uses alternatives such as fingerprint verification, face recognition, OTPs, or security keys to authenticate individuals. More convenient and secure as compared to passwords, these alternatives do not require users to remember long passwords and keep them protected from identity theft and other breaches.

2. Biometric authentication

This uses individuals’ physical characteristics to verify their identities. These include fingerprints, facial features, voice and iris scans. These unique physical attributes are hard to spoof, making biometric authentication a highly secure method of authenticating users.

3. Two-factor authentication

2FA requires users to provide two different pieces of information to verify their identity, this is generally a combination of something the user is (facial features, fingerprint or voice), something the user knows (password or PIN code) or something the user has (OTP or security code). This method of authentication adds an extra layer of security, protecting users from identity theft and phishing attacks.

4. FIDO and FIDO2 authentication

Fast Identity Online (FIDO) and FIDO2 use biometrics such as facial recognition, fingerprint recognition and voice recognition with security keys to verify user identity. These are highly secure modes of authentication and are also convenient for users, by letting them authenticate themselves without using long passwords.

How can your company onboard customers in Rwanda?

uqudo’s fully digital identity verification platform lets you onboard customers securely with the following steps.

1. Step 1 – AI Document Scanning + OCR

a. Use our powerful AI document scanner to quickly read and scan identity documents, including

    1. Passports
    2. ID cards
    3. Driving Licenses

b. Evaluate the quality of the document, and also check for tamper.

c. Identify necessary fields on the document, and extract data using Optical Character Recognition.

2. Step 2 – Face Verification and Liveness Detection

a. Verify if the user on the camera is real, and matches the document.

b. Detect if the person on the camera is live and not a spoof.

3. Step 3 – Identity verification

Once a user is identified, access government repositories to verify their identities.

4. Step 4 – Screening

Check if the individual is worth doing business with, using AML, sanction, PEP and adverse media screening.

5. Step 5 – Passwordless login

Once a user has been onboarded, let them log in to your platform in a hassle-free manner using biometrics or FIDO2 authentication. 

Comply with Rwanda’s evolving KYC and AML regulations with uqudo’s all-in-one digital identity platform. Get in touch with us to learn more!


Chandrika Mahapatra

KYC Content Specialist uqudo

Similar Posts

Regulations dive
Mar 23, 2023
5 min read

South Africa’s KYC requirements: What you need to know to stay compliant

Chandrika Mahapatra

KYC Content Specialist uqudo

Regulations dive
Dec 14, 2022
5 min read

The ultimate guide to KYC in Nigeria

Chandrika Mahapatra

KYC Content Specialist uqudo

Stay up-to-date with the world of identity.

Subscribe to get the latest identity articles, guides and videos, straight to your email.

We’re committed to your privacy uqudo uses the information you provide to contact you about our content, products, and services. You may unsubscribe from these at any time. For more information, check out our privacy policy.