Uganda -- AML/CFT Compliance Regulatory Overview

**The Anti-Money Laundering Act, 2013 (as amended):** This is the primary AML legislation in Uganda. It defines money laundering, establishes the Financial Intelligence Authority (FIA), and outlines obligations for "reporting persons." While it doesn't explicitly mention "cryptocurrency" or "VASP," the broad definitions of "financial institution," "transaction," and "funds" can be interpreted to encompass activities involving virtual assets.

**The Anti-Money Laundering Regulations, 2015:** These regulations provide more specific details on the implementation of the Act, including customer due diligence, record-keeping, and suspicious transaction reporting.

**The Financial Intelligence Authority Act, 2013:** This Act establishes the FIA as the central national agency responsible for receiving, analyzing, and disseminating financial intelligence related to money laundering, terrorist financing, and proliferation financing.

**Bank of Uganda Act, Cap 51:** While the Bank of Uganda (BOU) has primarily issued warnings about the risks associated with cryptocurrencies due to their unregulated nature, any future licensing or regulation of VASPs that touch upon payment systems or financial services would likely involve the BOU.

**Individual Customers:** Obtain and verify the customer's full name, permanent address, date of birth, national identification number (e.g., National ID, passport), and other relevant identification documents.

**Legal Entities (Companies, etc.):** Obtain and verify the company's registered name, legal form, proof of incorporation, physical address, business registration number, tax identification number, and details of directors, beneficial owners, and authorized signatories.

**Beneficial Ownership:** Identify and verify the identity of the beneficial owner(s) – the natural person(s) who ultimately own or control the customer, or the natural person(s) on whose behalf a transaction is being conducted.

**Purpose and Intended Nature of Business Relationship:** Understand the purpose and intended nature of the business relationship or the transaction.

**Ongoing Monitoring:** Continuously monitor the business relationship and transactions undertaken by the customer to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile, including the source of funds where necessary.

**Enhanced Due Diligence (EDD):** Apply EDD for higher-risk customers, transactions, or business relationships. This includes:

Customers from high-risk jurisdictions (identified by FATF or local authorities)

Transactions involving large amounts or complex structures

Transactions with no apparent economic or lawful purpose.

**Simplified Due Diligence (SDD):** May be applied in limited circumstances where the risk of money laundering or terrorist financing is lower, as permitted by the regulations.

**Report Suspicious Transactions:** Report any transaction (attempted or completed) where there is a reasonable suspicion that the funds involved are proceeds of crime, or are linked to money laundering, terrorist financing, or proliferation financing.

**Report to the FIA:** Such reports must be made to the Financial Intelligence Authority (FIA) promptly, and generally within 48 hours of forming the suspicion.

**No Tipping-Off:** Not disclose to the customer or any third party that a suspicious transaction report has been made or that a money laundering investigation is being conducted.

**Customer Identification Records:** All records obtained during CDD processes (identification documents, verification records, beneficial ownership information).

**Transaction Records:** Records of all domestic and international transactions, including the amount, currency, date, type of transaction, and parties involved. For virtual assets, this would include wallet addresses, transaction hashes, and amounts.

**Business Correspondence:** Records of all relevant business correspondence with customers.

**Retention Period:** Records must be retained for a minimum period of **five (5) years** after the business relationship has ended or after the date of an occasional transaction.

**Bank of Uganda Circular on Virtual Currencies (2022):** While a direct URL for a circular may be ephemeral, the BOU regularly publishes such statements. A general search for "Bank of Uganda virtual currency statement" often yields news articles or official press releases reflecting this stance. For example, a common reference point is the **Bank of Uganda Governor's statements** regarding financial innovation and risks.

**Anti-Money Laundering Act, 2013 (as amended):** This is the cornerstone legislation. It establishes the Financial Intelligence Authority (FIA) as the central national agency responsible for receiving, analyzing, and disseminating financial intelligence. The Act defines "financial institution" broadly, and while it doesn't explicitly mention "Virtual Asset Service Providers" (VASPs), any entity facilitating financial transactions, even in virtual assets, could potentially fall under its purview, especially concerning illicit finance.

**Legal Reference:** The Anti-Money Laundering Act, 2013 (as amended) (PDF hosted by FIA)

**Anti-Terrorism Act, 2002 (as amended):** This Act provides the legal basis for combating terrorism financing, which often goes hand-in-hand with sanctions compliance.

**Legal Reference:** A specific, easily accessible online version of the *amended* Act can be hard to pinpoint. Often, legal databases or government gazettes are the source. A general search for "Uganda Anti-Terrorism Act" will point to its existence.

**Financial Intelligence Authority (FIA):** The FIA is crucial for implementing AML/CTF measures, including those related to sanctions. It issues guidelines, receives suspicious transaction reports (STRs), and works with international bodies.

**Reference:** Financial Intelligence Authority (FIA) Uganda Website

**UN Sanctions:** As a member of the United Nations, Uganda is legally obliged to implement UN Security Council Resolutions, including those imposing sanctions on individuals, entities, and countries. The FIA and other Ugandan authorities enforce these resolutions domestically.

**Requirement for VASPs:** VASPs must screen all their customers and transactions against the **UN Sanctions List** to identify designated individuals or entities and freeze their assets or prevent transactions.

**Legal Reference:** United Nations Security Council Sanctions Committees

**OFAC Sanctions (U.S. Department of the Treasury's Office of Foreign Assets Control):**

**Extraterritorial Reach:** OFAC sanctions have significant extraterritorial reach. Any VASP that uses US dollar clearing, has US customers, servers, or any operational nexus with the US, is directly subject to OFAC regulations, regardless of where they are incorporated. This effectively includes most globally connected VASPs.

**Requirement for VASPs:** VASPs must screen all customers, beneficial owners, and transaction counterparties against OFAC's **Specially Designated Nationals And Blocked Persons List (SDN List)** and other sanctions lists (e.g., Sectoral Sanctions Identifications List, Non-SDN Palestinian Legislative Council List, etc.). They must block funds and prohibit transactions involving sanctioned parties or jurisdictions.

**Legal Reference:** OFAC's Sanctions Programs and Country Information

**Guidance on Virtual Currency:** OFAC has issued specific guidance on applying sanctions to virtual currency, emphasizing that its regulations apply to virtual currency just as they do to traditional fiat currency.

**Legal Reference:** OFAC's A Framework for OFAC Compliance Commitments (2019) (PDF, refers to virtual currency obligations) and various FAQs.

**Jurisdictional Reach:** EU sanctions apply to all EU nationals and entities, regardless of where they operate, and to non-EU entities conducting business within the EU. Given global financial interconnectivity, VASPs with any European nexus (customers, partners, funding) must comply.

**Requirement for VASPs:** VASPs must screen against the **EU Consolidated List of persons, groups and entities subject to EU financial sanctions**.

**Legal Reference:** EU Financial Sanctions Map

**Implement Robust KYC/CDD:** Conduct thorough Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures to identify all parties involved in a transaction.

**Screen Against Sanctions Lists:** Regularly screen all customers, beneficial owners, and transaction counterparties against:

OFAC's **SDN List** and other relevant OFAC lists.

**Geographic Screening:** Identify and flag transactions involving high-risk or sanctioned jurisdictions.

**Transaction Monitoring:** Implement systems to monitor transactions for patterns indicative of sanctions evasion or illicit activity (e.g., unusual transaction sizes, rapid movements of funds to high-risk areas).

**Reporting Obligations:** Report any detected suspicious transactions or potential sanctions violations to the FIA and, if applicable, to relevant international authorities (e.g., OFAC for US persons).

**Sanctioned Countries:** Countries comprehensively sanctioned by the UN, OFAC (e.g., Cuba, Iran, North Korea, Syria), or the EU.

**High-Risk Jurisdictions:** Jurisdictions identified by FATF or other bodies as having strategic AML/CTF deficiencies.

**Under the Anti-Money Laundering Act, 2013:**

**Individuals:** Fines (e.g., up to UGX 2 billion / ~USD 500,000) and/or imprisonment (e.g., up to 15 years).

**Institutions:** Substantial fines (e.g., up to UGX 10 billion / ~USD 2.5 million), revocation of licenses (if applicable), and reputational damage.

**Asset Forfeiture:** Proceeds of crime, including virtual assets, can be frozen and forfeited.

**Under the Anti-Terrorism Act, 2002:**

Even harsher penalties, including lengthy imprisonment, apply for financing terrorism.

**International Penalties:** Non-compliance with OFAC or EU sanctions can lead to massive fines (billions of USD/EUR), criminal charges, and exclusion from international financial systems, regardless of the VASP's Ugandan operations.