قائمة امتثال KYC وKYB وAML
زيمبابوي KYC, KYB & AML
A source-backed implementation checklist for customer and business verification in Zimbabwe. It incorporates the consolidated Money Laundering and Proceeds of Crime Act through Act 7 of 2025, the RBZ 2025 banking guideline, current FIU reporting and targeted-financial-sanctions directives, company beneficial-ownership filings, payment-system oversight, the June 2026 VASP registration regime and current privacy licensing and breach rules.
- تاريخ المراجعة
- 16 July 2026
- الإصدار
- 1.0
- مجالات رقابية
- 11
- فحوص تنفيذ
- 53
إجابة مباشرة
ما الذي تغطيه قائمة الامتثال الخاصة بـ زيمبابوي؟
تحوّل قائمة زيمبابوي قواعد KYC وKYB وAML الأساسية إلى 11 مجالات رقابية و53 فحوص تنفيذ، وتشمل الجهات المختصة وواجبات الإبلاغ والأدلة الواجب الاحتفاظ بها.
حقائق تنظيمية أساسية
- Primary AML/CFT/CPF law
- Money Laundering and Proceeds of Crime Act [Chapter 9:24], consolidated through Act 7 of 2025
- Financial intelligence unit
- Financial Intelligence Unit of Zimbabwe (FIU)
- STR timing and channel
- Promptly and no later than three working days after suspicion; submit through goAML
- General occasional CDD trigger
- USD 5,000 or more, including linked transactions; suspicion and identity doubt override thresholds
- Wire CDD trigger
- USD 1,000 or more for domestic or international wires
- Core AML retention
- At least five years, with the event depending on the record class
- Company beneficial ownership
- More than 20% shares or voting rights, majority-director appointment/removal rights, or other significant influence or control; changes filed within seven days
- RBZ banking BO guide
- Identify and verify beneficial owners at 10% ownership and above, while also testing control
- Targeted financial sanctions
- Screen daily; freeze and report a confirmed match immediately and within 24 hours
- Data breach
- Notify POTRAZ within 24 hours; notify affected people within 72 hours where high risk
- VASP regime
- FIU registration under S.I. 99 of 2026; certificate valid one year; travel rule applies to all virtual-asset transfers
- FATF public lists
- Not listed in the public statements dated 19 June 2026; ESAAMLG enhanced follow-up continues
تفاصيل التنفيذ
متطلبات وإجراءات الامتثال في زيمبابوي
افتح كل مجال لمراجعة المتطلب وإجراء التنفيذ المقترح والأدلة الواجب الاحتفاظ بها والمصدر الأساسي.
01Scope, authorities and regulated activitiesResolve the legal entity, product, profession and supervisor perimeter before configuring controls or launching a service.4 عناصر+
The AML/CFT/CPF regime covers financial institutions and designated non-financial businesses and professions, including the categories defined in the Act.
- إجراء التنفيذ
- Map every entity, product, customer flow, profession, branch, agent and outsourced activity to its statutory category and competent supervisor.
- الأدلة الواجب الاحتفاظ بها
- Signed perimeter memorandum, entity-product matrix, licences and supervisor map.
- المصدر الأساسي
- Money Laundering and Proceeds of Crime Act [Chapter 9:24] (MLPC Act), ss. 2, 13 and First Schedule
The FIU administers the reporting framework, receives reports and may issue binding directives; sector supervisors retain their licensing and supervisory roles.
- إجراء التنفيذ
- Assign authority contacts, goAML credentials, alternates, reporting ownership and a controlled regulatory calendar.
- الأدلة الواجب الاحتفاظ بها
- Authority map, FIU registration, goAML access register, appointments and reporting calendar.
- المصدر الأساسي
- MLPC Act, ss. 4-6G and 30; FIU legal-framework and directives pages
Retail payment, switching, mobile-money and related payment activity requires the applicable RBZ approval before operation; non-bank applicants follow the current partnership and submission conditions stated by RBZ.
- إجراء التنفيذ
- Obtain an RBZ classification and every required approval before pilot or live launch, and track conditions, agents, settlement, interoperability and consumer-protection duties.
- الأدلة الواجب الاحتفاظ بها
- RBZ approval, classification, approved product map, conditions register, bank-partner agreement and agent inventory.
- المصدر الأساسي
- National Payment Systems Act [Chapter 24:23]; RBZ National Payment Systems approval requirements; S.I. 80 of 2020
A person providing virtual-asset services must be registered with the FIU under S.I. 99 of 2026; applicants must be Zimbabwe-incorporated or operate through a Zimbabwe subsidiary.
- إجراء التنفيذ
- Do not offer exchange, transfer, custody, administration or issuer-related virtual-asset services until the FIU issues the applicable registration certificate and conditions.
- الأدلة الواجب الاحتفاظ بها
- VASP perimeter analysis, Zimbabwe incorporation, application pack, FIU certificate, conditions and renewal calendar.
- المصدر الأساسي
- MLPC Act, s. 2 definition of financial institution; S.I. 99 of 2026, ss. 4-9
02Governance, risk assessment and control ownershipUse documented ML, TF and proliferation-financing risk to design accountable, tested and resourced controls.4 عناصر+
Reporting institutions assess and mitigate customer, country, product, service, transaction and delivery-channel ML/TF/PF risk and apply proportionate measures.
- إجراء التنفيذ
- Maintain enterprise and customer-risk methodologies, data inputs, inherent and residual ratings, mitigants, overrides and approval.
- الأدلة الواجب الاحتفاظ بها
- Risk methodology, enterprise assessment, customer model, risk register, remediation plan and approval.
- المصدر الأساسي
- MLPC Act, s. 12B; RBZ AML/CFT/CPF Guideline, paras. 2.1-2.49
Banks and microfinance institutions under the RBZ guideline review their institutional risk assessment at least annually and assess new products and technologies before launch.
- إجراء التنفيذ
- Set an annual review and a pre-launch gate covering AML/CFT/CPF, fraud, sanctions, cyber and privacy risk.
- الأدلة الواجب الاحتفاظ بها
- Annual assessment, product assessment, control sign-offs, test results and release decision.
- المصدر الأساسي
- RBZ AML/CFT/CPF Guideline, paras. 2.8-2.9 and 3.9-3.11
An AML/CFT/CPF programme includes policies and controls, employee screening, ongoing training, technology-misuse controls and independent audit.
- إجراء التنفيذ
- Approve a complete programme, name control owners, resource independent testing and track corrective action to closure.
- الأدلة الواجب الاحتفاظ بها
- Board-approved policies, owner register, training, screening, audit plan, reports and remediation tracker.
- المصدر الأساسي
- MLPC Act, s. 25(1); RBZ AML/CFT/CPF Guideline, Part 3
A management-level compliance officer must oversee implementation and have ready access to books, records and employees.
- إجراء التنفيذ
- Document appointment, authority, independence, information access, deputies and direct reporting to senior management and the board.
- الأدلة الواجب الاحتفاظ بها
- Appointment resolution, charter, access matrix, resource plan and governance reports.
- المصدر الأساسي
- MLPC Act, s. 25(2)-(3); RBZ AML/CFT/CPF Guideline, paras. 3.22-3.32
03Natural-person identification and CDDIdentify, verify and understand customers at every statutory trigger and before activation except for a narrow controlled timing exception.5 عناصر+
CDD applies when establishing a relationship, at an occasional transaction of USD 5,000 or more including linked transactions, at a wire of USD 1,000 or more, whenever suspicion exists and whenever earlier identity evidence is doubtful.
- إجراء التنفيذ
- Configure relationship, aggregation, wire, suspicion and identity-doubt triggers; never use a monetary threshold to suppress suspicion-driven CDD.
- الأدلة الواجب الاحتفاظ بها
- CDD trigger matrix, aggregation logic, configuration, test cases and exceptions.
- المصدر الأساسي
- MLPC Act, s. 15(1); RBZ AML/CFT/CPF Guideline, para. 3.36
Sector-specific triggers also apply: gaming operators at USD 3,000 and precious-stones or precious-metals dealers receiving currency at USD 15,000, subject to any current prescribed change.
- إجراء التنفيذ
- Keep sector thresholds in a governed register and link each threshold to the correct activity and customer population.
- الأدلة الواجب الاحتفاظ بها
- Sector analysis, threshold register, configuration and periodic legal check.
- المصدر الأساسي
- MLPC Act, s. 15(2)
Natural-person identity is verified with an official identity document; the customer definition includes signatories, authorised persons and attempted actors.
- إجراء التنفيذ
- Validate identity attributes and document authenticity, screen the person and separately verify every representative's authority.
- الأدلة الواجب الاحتفاظ بها
- Identity copy, authenticity result, source provenance, screening and mandate.
- المصدر الأساسي
- MLPC Act, ss. 13, 15 and 17; RBZ AML/CFT/CPF Guideline, paras. 3.34-3.50
CDD captures the purpose and intended nature of the relationship and enough information to understand the customer's business and expected activity.
- إجراء التنفيذ
- Record products, volumes, values, counterparties, countries, source of funds where appropriate and an approved expected-activity baseline.
- الأدلة الواجب الاحتفاظ بها
- Customer profile, purpose statement, expected-activity baseline, source evidence and risk score.
- المصدر الأساسي
- MLPC Act, s. 17(e)-(f); RBZ AML/CFT/CPF Guideline, para. 3.49
Identity verification normally precedes the relationship; limited deferral is allowed only where delay is unavoidable for normal business and ML/TF/PF risk is adequately controlled.
- إجراء التنفيذ
- Use a documented exception with restrictions, completion deadline and escalation; do not treat deferral as routine onboarding.
- الأدلة الواجب الاحتفاظ بها
- Exception approval, risk rationale, account restrictions, completion timestamp and overdue report.
- المصدر الأساسي
- MLPC Act, s. 16; RBZ AML/CFT/CPF Guideline, paras. 3.43-3.47
04KYB, registries and beneficial ownershipVerify legal existence, authority and the natural persons who ultimately own or control the entity; apply the threshold appropriate to the legal context.5 عناصر+
Legal-person CDD covers name, address, directors, incorporation, legal form, binding authority, ownership and control.
- إجراء التنفيذ
- Verify these from current registry, constitutional, licence, tax and mandate evidence; reconcile inconsistencies.
- الأدلة الواجب الاحتفاظ بها
- Registry extract, constitutive documents, licences, directors, mandate and discrepancy log.
- المصدر الأساسي
- MLPC Act, s. 17(b); RBZ Guideline, para. 3.49
AML CDD identifies the natural-person beneficial owner; 25% or more ownership or voting control is a deemed test, but other control still applies.
- إجراء التنفيذ
- Trace all layers, calculate interests, identify the transaction beneficiary and test effective control.
- الأدلة الواجب الاحتفاظ بها
- Ownership chart, calculations, declarations, control analysis and verified BO files.
- المصدر الأساسي
- MLPC Act, ss. 13 and 15(2)-(3)
RBZ's 2025 guide directs banks and microfinance institutions to identify and verify BOs at 10% ownership and above, alongside control tests.
- إجراء التنفيذ
- Configure the 10% floor for covered institutions and investigate control, nominees and higher-risk ownership.
- الأدلة الواجب الاحتفاظ بها
- Scope memo, configuration, ownership chart, control analysis and tests.
- المصدر الأساسي
- RBZ Guideline, paras. 2.21 and 3.37-3.42
Company-law BO means more than 20% of shares or votes, majority-director appointment or removal rights, or other significant influence or control.
- إجراء التنفيذ
- Maintain the company's current BO register using every statutory limb, not shareholding alone.
- الأدلة الواجب الاحتفاظ بها
- Company BO register, identity and control evidence, resident custodian and review log.
- المصدر الأساسي
- Companies and Other Business Entities Act, ss. 2 and 72
A company files current BO information and any material change with the Registrar within seven days.
- إجراء التنفيذ
- Use the current form and reconcile the company register, Registrar filing and AML CDD record.
- الأدلة الواجب الاحتفاظ بها
- Declaration, receipt, seven-day change log and reconciliation.
- المصدر الأساسي
- Companies and Other Business Entities Act, s. 72(2); S.I. 46/2020
05PEPs, enhanced due diligence and remote onboardingHigher-risk, politically exposed and non-face-to-face relationships require additional evidence, accountable approval and closer monitoring.5 عناصر+
Systems must determine whether a customer or beneficial owner is a PEP and distinguish foreign PEPs from domestic or international-organisation PEPs according to risk.
- إجراء التنفيذ
- Screen before activation and continuously, resolve matches with reliable role evidence and extend controls to required family members and close associates.
- الأدلة الواجب الاحتفاظ بها
- Screening result, role and relationship evidence, match decision, risk rationale and review log.
- المصدر الأساسي
- MLPC Act, ss. 13 and 20; RBZ AML/CFT/CPF Guideline, paras. 3.64-3.68
Applicable PEP relationships require senior-management approval, reasonable measures to establish source of wealth and source of funds or assets and increased ongoing monitoring.
- إجراء التنفيذ
- Obtain and corroborate source evidence, record approval before starting or continuing the relationship and configure enhanced monitoring.
- الأدلة الواجب الاحتفاظ بها
- Source-of-wealth and source-of-funds file, approval, monitoring plan and reviews.
- المصدر الأساسي
- MLPC Act, s. 20; RBZ AML/CFT/CPF Guideline, para. 3.68
High-risk customers, products, services and situations receive enhanced measures; simplified measures are permitted only for substantiated low risk and do not remove CDD or monitoring.
- إجراء التنفيذ
- Define risk-based standard, enhanced and simplified control sets, eligibility rules, prohibited overrides and review frequency.
- الأدلة الواجب الاحتفاظ بها
- Risk-control matrix, low-risk rationale, EDD file, approvals and override log.
- المصدر الأساسي
- MLPC Act, ss. 12B and 20; RBZ AML/CFT/CPF Guideline, paras. 3.71-3.76
Non-face-to-face business must use measures no less effective than in-person due diligence and address impersonation and document risk.
- إجراء التنفيذ
- Use risk-based document integrity, liveness or presence, independent data, device and fraud checks and governed manual review.
- الأدلة الواجب الاحتفاظ بها
- Remote-onboarding standard, vendor assurance, test pack, fraud logs and exceptions.
- المصدر الأساسي
- MLPC Act, s. 19; RBZ AML/CFT/CPF Guideline, paras. 3.57-3.63
If required CDD cannot be completed, do not establish or maintain the relationship and report immediately to the FIU; avoid pursuing CDD where it would tip off a suspected customer.
- إجراء التنفيذ
- Route failed or unsafe CDD to decline, restriction or exit and a confidential reporting decision without alerting the customer.
- الأدلة الواجب الاحتفاظ بها
- Failure reason, decline or exit, immediate report or STR decision, submission and restricted access log.
- المصدر الأساسي
- MLPC Act, ss. 22 and 31; RBZ AML/CFT/CPF Guideline, paras. 3.69-3.70 and 3.130
06Monitoring, suspicious reporting and confidentialityMonitor the relationship continuously and submit complete reports through the prescribed FIU channel on time.5 عناصر+
Ongoing due diligence keeps customer and beneficial-owner data current and examines transactions against the known customer, activities and risk profile.
- إجراء التنفيذ
- Configure risk-based refresh, event triggers and transaction monitoring and investigate material deviations from expected activity.
- الأدلة الواجب الاحتفاظ بها
- Refresh schedule, trigger log, monitoring scenarios, alerts, cases and updated CDD.
- المصدر الأساسي
- MLPC Act, s. 26; RBZ AML/CFT/CPF Guideline, paras. 2.47-2.51 and 3.71-3.78
Complex, unusual large or purposeless transactions and unusual patterns require special attention, written findings and retention.
- إجراء التنفيذ
- Document background, purpose, actors, source and destination of funds, corroboration and the final reporting decision.
- الأدلة الواجب الاحتفاظ بها
- Enhanced-review memorandum, transaction data, supporting evidence, decision and reviewer sign-off.
- المصدر الأساسي
- MLPC Act, ss. 24 and 26(2)
A financial institution, DNFBP and covered officers or agents report property, a transaction or an attempted transaction suspected or reasonably suspected to involve crime, terrorism, terrorist financing or proliferation.
- إجراء التنفيذ
- Escalate immediately, preserve the suspicion timestamp and submit a complete STR to the FIU through goAML.
- الأدلة الواجب الاحتفاظ بها
- Internal report, analysis, STR, goAML receipt, case timeline and any supplement.
- المصدر الأساسي
- MLPC Act, s. 30(1); RBZ AML/CFT/CPF Guideline, paras. 3.104-3.110
An STR is due promptly and no later than three working days after suspicion is formed; attempted transactions are reportable.
- إجراء التنفيذ
- Use a shorter internal SLA that leaves time for review and measure from the documented point at which suspicion was formed.
- الأدلة الواجب الاحتفاظ بها
- Suspicion timestamp, internal SLA, approval, submission timestamp and overdue report.
- المصدر الأساسي
- MLPC Act, s. 30(1); RBZ AML/CFT/CPF Guideline, paras. 3.105-3.108
Tipping off is prohibited and reporting information is protected; secrecy duties do not block statutory reporting.
- إجراء التنفيذ
- Restrict STR access, suppress customer-facing indicators, train staff and separate lawful information requests from prohibited disclosure.
- الأدلة الواجب الاحتفاظ بها
- Access matrix, immutable case log, training, communications controls and access review.
- المصدر الأساسي
- MLPC Act, ss. 31-33; RBZ AML/CFT/CPF Guideline, paras. 3.126-3.132
07Payments, wires, threshold reports and virtual assetsKeep CDD triggers, automatic threshold reports, wire data and virtual-asset travel-rule controls distinct.6 عناصر+
Qualifying wires carry accurate originator and beneficiary data; incomplete transfers require risk-based repair, rejection or suspension.
- إجراء التنفيذ
- Validate fields before execution, retain data across the chain and govern missing-data decisions.
- الأدلة الواجب الاحتفاظ بها
- Field specification, rules, repair/reject queue, samples and logs.
- المصدر الأساسي
- MLPC Act, s. 27; RBZ Guideline, paras. 3.143-3.156
For banks, Directive 01/04/2024 sets CTR/EFT thresholds at ZiG 70,000 local or USD 5,000 equivalent foreign currency, and IFT at USD 5,000 equivalent.
- إجراء التنفيذ
- Configure separate report types and currency rules and re-check the FIU for changes.
- الأدلة الواجب الاحتفاظ بها
- Threshold register, system and currency rules, tests and dated check.
- المصدر الأساسي
- FIU Directive 01/04/2024, para. 2.1
Banks submit weekly threshold and nil returns on or before the second working day of the week.
- إجراء التنفيذ
- Reconcile, approve and submit each CTR, EFT and IFT return through goAML on time.
- الأدلة الواجب الاحتفاظ بها
- Reconciliation, return, approval, receipt and overdue log.
- المصدر الأساسي
- FIU Directive 01/04/2024, para. 2.2
NBFIs and DNFBPs submit CTR or nil returns at ZiG 70,000 local or USD 5,000 equivalent foreign currency monthly by the tenth day.
- إجراء التنفيذ
- Confirm scope, reconcile the monthly return and retain the goAML acknowledgement.
- الأدلة الواجب الاحتفاظ بها
- Scope, configuration, return, reconciliation and receipt.
- المصدر الأساسي
- FIU Directive 01/04/2024, paras. 3.1-3.2
A suspicious threshold transaction requires separate STR and threshold reports.
- إجراء التنفيذ
- Link but do not merge the cases; preserve separate grounds, reports and receipts.
- الأدلة الواجب الاحتفاظ بها
- Linked IDs, STR, threshold return, receipts and decision.
- المصدر الأساسي
- RBZ Guideline, paras. 3.133-3.135
S.I. 99/2026 applies travel data to all virtual-asset transfers, CDD at USD 1,000 or more and wallet-ownership proof above USD 1,000 for unhosted wallets.
- إجراء التنفيذ
- Verify and transmit travel data, detect missing fields, prove wallet control and monitor risk.
- الأدلة الواجب الاحتفاظ بها
- Travel messages, KYC, wallet proof, decision and monitoring.
- المصدر الأساسي
- S.I. 99/2026, ss. 17-21
08Targeted financial sanctionsUse current UN lists and FIU instructions to identify, freeze and report designated assets without prior notice.4 عناصر+
FIs, DNFBPs and other natural and legal persons apply Zimbabwe's UN targeted-financial-sanctions framework for terrorism and proliferation financing.
- إجراء التنفيذ
- Maintain a legal list inventory, FIU/goAML registration, accountable sanctions owner and procedures for designation, delisting and false positives.
- الأدلة الواجب الاحتفاظ بها
- List inventory, subscriptions, procedure, role assignment and change log.
- المصدر الأساسي
- S.I. 76 of 2014; S.I. 110 of 2021; FIU CFT/CPF Directive PFIU3/09/24
Screen existing and potential customers, beneficial owners, transaction parties, directors and agents before onboarding or an occasional transaction and thereafter daily.
- إجراء التنفيذ
- Run daily list updates and rescreening, pre-transaction checks and real-time cross-border payment screening where applicable.
- الأدلة الواجب الاحتفاظ بها
- List versions, screening timestamps, population reconciliation, alerts and match decisions.
- المصدر الأساسي
- FIU CFT/CPF Directive PFIU3/09/24, Part 3; RBZ AML/CFT/CPF Guideline, paras. 3.79-3.83
A confirmed match triggers freezing without delay, immediately and in any case within 24 hours, without prior notice, plus a prohibition on funds, assets, services or economic resources being made available.
- إجراء التنفيذ
- Block accounts, transactions and services, identify all directly or indirectly owned or controlled assets and prevent movement until lawful release.
- الأدلة الواجب الاحتفاظ بها
- Match validation, freeze timestamp, asset inventory, transaction blocks, access log and release authority.
- المصدر الأساسي
- FIU CFT/CPF Directive PFIU3/09/24, Part 3; S.I. 76 of 2014; S.I. 110 of 2021
A confirmed match and action taken are reported to the FIU through goAML immediately and no later than 24 hours; a nil return is submitted when an FIU list update yields no match.
- إجراء التنفيذ
- Submit the designated-person and asset particulars and action taken, file any required nil return and assess an STR separately where TF or PF is suspected.
- الأدلة الواجب الاحتفاظ بها
- GoAML sanctions report, receipt, nil return, STR decision and linked case record.
- المصدر الأساسي
- FIU CFT/CPF Directive PFIU3/09/24, Reporting; RBZ AML/CFT/CPF Guideline, paras. 4.11-4.17
09Records, confidentiality and regulator accessRetain reconstructable records for the correct event-based period and make them available promptly to authorised authorities.4 عناصر+
CDD files, account records and business correspondence are retained for at least five years after the relationship ends; transaction records are retained for at least five years from the transaction.
- إجراء التنفيذ
- Map every record class to the correct start event, legal hold, access rule and deletion control.
- الأدلة الواجب الاحتفاظ بها
- Retention schedule, lifecycle configuration, legal-hold procedure, archive and deletion test.
- المصدر الأساسي
- MLPC Act, s. 24(2)(a)-(b)
Written findings for complex or unusual activity and copies of STRs and supporting material are retained for at least five years from the transaction or report, as applicable.
- إجراء التنفيذ
- Store analysis and reports in a restricted archive linked to the relevant customer and transaction without exposing the filing.
- الأدلة الواجب الاحتفاظ بها
- Restricted case archive, linkage, retention configuration and access review.
- المصدر الأساسي
- MLPC Act, s. 24(2)(c)-(d); RBZ AML/CFT/CPF Guideline, paras. 3.138-3.142
Where a technical limitation separates required cross-border wire data from the related domestic transfer, the intermediary institution keeps the received information for at least ten years.
- إجراء التنفيذ
- Preserve detached wire data with a reliable transaction link and test complete reconstruction.
- الأدلة الواجب الاحتفاظ بها
- Wire archive, linkage key, ten-year rule, retrieval and reconstruction test.
- المصدر الأساسي
- MLPC Act, s. 27(8)
Records and underlying information must be available on a timely basis to the FIU and authorised competent authorities; third-party reliance does not transfer responsibility.
- إجراء التنفيذ
- Authenticate requests, apply least-privilege disclosure, retrieve promptly and log the response and chain of custody.
- الأدلة الواجب الاحتفاظ بها
- Request register, authentication, response package, access log and retrieval test.
- المصدر الأساسي
- MLPC Act, ss. 18 and 24; RBZ AML/CFT/CPF Guideline, para. 3.142
10Privacy, biometrics and international transfersAML necessity does not remove data-protection duties. Identity and biometric processing require lawful purpose, licensing, security, rights and transfer controls.7 عناصر+
A person deciding the means, purpose or outcome of personal-data processing, the data collected or the people concerned, or processing for commercial benefit must apply for the applicable POTRAZ data-controller licence unless exempt.
- إجراء التنفيذ
- Classify the controller, confirm the correct tier with POTRAZ, obtain the licence and renew it at least three months before its 12-month expiry.
- الأدلة الواجب الاحتفاظ بها
- Applicability analysis, DP1 application, licence, tier confirmation, fees and renewal calendar.
- المصدر الأساسي
- Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (S.I. 155 of 2024), ss. 3-8
A data controller appoints a qualified and certified DPO and notifies POTRAZ; DPO contact changes and termination are notified within 14 days and a replacement is appointed within 90 days.
- إجراء التنفيذ
- Appoint an independent DPO, file Form DP2, publish contact routes and maintain succession and notification triggers.
- الأدلة الواجب الاحتفاظ بها
- Appointment, certification, DP2, POTRAZ receipt, contact notice and succession calendar.
- المصدر الأساسي
- S.I. 155 of 2024, ss. 12-14
Processing must be necessary, fair, lawful, purpose-limited, accurate, minimised and retained no longer than necessary; data subjects have information, access, objection, correction and deletion rights.
- إجراء التنفيذ
- Maintain notices, purpose and basis records, data inventory, minimisation and retention rules and a tested rights-request workflow.
- الأدلة الواجب الاحتفاظ بها
- Privacy notice, processing inventory, lawful-basis register, retention schedule, rights log and responses.
- المصدر الأساسي
- Cyber and Data Protection Act [Chapter 12:07], ss. 7-14
Genetic, biometric and health data generally require written consent unless a statutory exception applies; POTRAZ must also be notified of biometric or genetic processing.
- إجراء التنفيذ
- Document the lawful condition, collect and preserve written consent where relied on, offer withdrawal mechanics and notify POTRAZ before production.
- الأدلة الواجب الاحتفاظ بها
- Biometric assessment, written consent or exception memo, POTRAZ notice, withdrawal log and access controls.
- المصدر الأساسي
- Cyber and Data Protection Act, ss. 11-12; S.I. 155 of 2024, s. 10(2)(d)
Controllers and processors use appropriate technical and organisational security and a written processing agreement; a personal-data breach is notified to POTRAZ within 24 hours of awareness.
- إجراء التنفيذ
- Contract processors, test security and incident response, use Form DP3 and preserve a complete breach record and investigation.
- الأدلة الواجب الاحتفاظ بها
- Processor agreement, security assessment, incident log, DP3, POTRAZ receipt and investigation report.
- المصدر الأساسي
- Cyber and Data Protection Act, ss. 18-19; S.I. 155 of 2024, ss. 16-17
Where a breach is likely to create high risk for individual rights and freedoms, affected data subjects are informed within 72 hours; the controller responds to authority requests within 14 days and concludes and reports its investigation within 21 days from notification.
- إجراء التنفيذ
- Classify breach risk, prepare individual notice, track authority questions and complete the investigation and final report on the statutory clocks.
- الأدلة الواجب الاحتفاظ بها
- Risk assessment, individual notice, delivery proof, authority responses, investigation and final report.
- المصدر الأساسي
- S.I. 155 of 2024, s. 17(3)-(5)
Foreign transfers require adequate protection or a statutory section 29 condition; S.I. 155 also requires notification to POTRAZ of intended foreign transfer or sharing.
- إجراء التنفيذ
- Map hosting and support locations, assess adequacy or the transfer condition, notify POTRAZ and obtain any current required authorisation before transfer.
- الأدلة الواجب الاحتفاظ بها
- Transfer map, assessment, contracts, POTRAZ notification or authorisation, security controls and review.
- المصدر الأساسي
- Cyber and Data Protection Act, ss. 28-29; S.I. 155 of 2024, s. 10(2)(c)
11Implementation and audit evidence packA defensible programme links every legal claim to configuration, ownership, dated sources, testing and a controlled residual-risk decision.4 عناصر+
A pre-launch gate covers perimeter, licensing, CDD, beneficial ownership, PEPs, monitoring, reporting, sanctions, records, privacy, payments and virtual assets.
- إجراء التنفيذ
- Block production until accountable owners approve control design and every material gap has a closed remediation or explicit lawful launch condition.
- الأدلة الواجب الاحتفاظ بها
- Launch checklist, approvals, test pack, gap register and release decision.
- المصدر الأساسي
- MLPC Act; applicable FIU, RBZ, company, VASP and data-protection instruments
Agents, outsourced KYC providers, cloud services, processors and other vendors do not remove the regulated entity's accountability.
- إجراء التنفيذ
- Assess providers, contract evidence access, audit, security and confidentiality, monitor performance, test retrieval and maintain an exit plan.
- الأدلة الواجب الاحتفاظ بها
- Due-diligence file, contract, audit and access test, monitoring reports, issues and exit plan.
- المصدر الأساسي
- MLPC Act, s. 18; S.I. 155 of 2024, s. 10(4)(f); RBZ NPS approval requirements
Thresholds, FATF lists, UN designations, FIU directives, RBZ conditions, VASP registration and privacy forms can change.
- إجراء التنفيذ
- Assign owners to monitor official FIU, RBZ, Companies Office, POTRAZ, Gazette, FATF and ESAAMLG sources and assess every change against systems and existing customers.
- الأدلة الواجب الاحتفاظ بها
- Legal inventory, source log, change assessment, implementation ticket and approval.
- المصدر الأساسي
- Official authority and international publications listed in Sources
Independent assurance tests the complete customer lifecycle and preserves why each production rule is configured as it is.
- إجراء التنفيذ
- Sample onboarding, ownership, PEP, sanctions, thresholds, wires, STRs, privacy, access and retention; report findings and verify closure.
- الأدلة الواجب الاحتفاظ بها
- Control-to-law map, monitoring plan, audit report, issue register, closure evidence and release history.
- المصدر الأساسي
- MLPC Act, s. 25(1)(e); RBZ AML/CFT/CPF Guideline, paras. 3.98-3.103

11 مجال رقابي و53 فحص تنفيذ مع روابط مباشرة للمصادر التنظيمية.
حمّل قائمة KYC وKYB وAML الخاصة بـ زيمبابوي
شارك بيانات العمل للوصول الفوري إلى قائمة التنفيذ الموثقة بالمصادر لـ زيمبابوي. تاريخ المراجعة التنظيمية: 16 July 2026.
احصل على ملف PDF فورًا
أرسل بياناتك ليبدأ التنزيل تلقائيًا
مراجعة وموثقة بالمصادر
الإصدار 1.0، تمت المراجعة في 16 July 2026
موثوق به من فرق الامتثال الرائدة
سجل المصادر الأساسية
27 مصدرًا مستخدمًا في هذه القائمة
استخدم هذه الروابط للتحقق من التشريعات وإرشادات الجهات الرقابية وإجراءات الإبلاغ والبيانات الدولية.
- Money Laundering and Proceeds of Crime Act [Chapter 9:24], updated through Act 7 of 2025Financial Intelligence Unit of Zimbabwe · Primary legislation
- Zimbabwe AML/CFT legal frameworkFinancial Intelligence Unit of Zimbabwe · Official legal-framework register
- FIU directives registerFinancial Intelligence Unit of Zimbabwe · Official directives register
- Revised thresholds for CTRs, EFTs and IFTs, Directive 01/04/2024Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- Targeted-financial-sanctions Directive PFIU3/09/24Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- High-risk and increased-monitoring jurisdictions Directive PFIU17/02/2026Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- FIU guidelines registerFinancial Intelligence Unit of Zimbabwe · Official guidance register
- goAML reporting portalFinancial Intelligence Unit of Zimbabwe · Official reporting platform
- Inspection notice on goAML registration and CTR submissions, 8 May 2025Financial Intelligence Unit of Zimbabwe · Official compliance notice
- AML/CFT/CPF Guideline, June 2025Reserve Bank of Zimbabwe · Binding sector guideline
- RBZ National Payment Systems legal basisReserve Bank of Zimbabwe · Official regulator guidance
- RBZ retail payment-system approval requirementsReserve Bank of Zimbabwe · Official licensing requirements
- National Payment Systems guidelines, directives and circularsReserve Bank of Zimbabwe · Official sector register
- Banking (Money Transmission, Mobile Banking and Mobile Money Interoperability) Regulations, 2020Reserve Bank of Zimbabwe · Primary sector regulation
- Guidelines for QR Code Payments in Zimbabwe, March 2026Reserve Bank of Zimbabwe · Current sector guideline
- Money Laundering and Proceeds of Crime (Virtual Asset Service Providers Registration) Regulations, 2026Financial Intelligence Unit of Zimbabwe · Primary sector regulation
- Companies and Other Business Entities Act [Chapter 24:31]Zimbabwe Legal Information Institute · Primary legislation
- Companies and Other Business Entities (Pre-Formation and Post-Formation Formalities) Regulations, 2020Zimbabwe Investment and Development Agency eRegulations · Primary regulation and forms
- Cyber and Data Protection Act [Chapter 12:07]Ministry of Information Communication Technology, Postal and Courier Services · Primary legislation
- Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024POTRAZ · Primary regulation
- Data Controller Licence Application Form DP1POTRAZ Data Protection Authority · Official form
- FATF jurisdictions under increased monitoring, 19 June 2026FATF · Official international status statement
- FATF high-risk jurisdictions subject to a call for action, 19 June 2026FATF · Official international status statement
- FATF Plenary outcome removing Zimbabwe from increased monitoring, March 2022FATF · Official international status statement
- Zimbabwe follow-up report, April 2024FATF / ESAAMLG · Official peer-review status
- Zimbabwe country and mutual-evaluation pageESAAMLG · Official regional assessment register
- UN Security Council consolidated sanctions listUnited Nations · Official sanctions list
إجابات مباشرة
أسئلة KYC وKYB وAML في زيمبابوي
What is Zimbabwe's principal AML/CFT/CPF law?+
The Money Laundering and Proceeds of Crime Act [Chapter 9:24]. The FIU's current consolidated copy includes amendments through Act 7 of 2025, including virtual-asset and proliferation-financing changes.
Who receives suspicious transaction reports?+
The Financial Intelligence Unit of Zimbabwe. Reporting institutions use the FIU's goAML platform.
When is an STR due?+
Promptly and no later than three working days after suspicion is formed. Attempted transactions are included.
Does an amount have to be reached before filing an STR?+
No. Suspicion reporting is independent of value. A transaction can require both an STR and a separate threshold report.
What is the general occasional-transaction CDD threshold?+
USD 5,000 or more, including linked transactions, for the general statutory trigger. Suspicion or doubt about earlier identity evidence triggers CDD regardless of value, and sector-specific thresholds also exist.
What is the wire-transfer CDD threshold?+
USD 1,000 or more for a domestic or international wire, subject to any later prescribed change.
Which company beneficial-owner threshold applies?+
Company law uses more than 20% of shares or voting rights, majority-director appointment or removal rights, or other significant influence or control. The company must file material changes within seven days.
Why does the guide also mention 25% and 10%?+
They belong to different rules. The AML Act contains a 25%-or-more deemed ownership test, while the June 2025 RBZ guideline directs banks and microfinance institutions to identify and verify beneficial owners at 10% ownership and above. Control must still be assessed.
Can a registry extract replace independent KYB?+
No. Verify legal existence, authority, directors, licences, tax and ownership evidence and reconcile discrepancies. Trace ownership and control to natural persons.
What happens if CDD cannot be completed?+
Do not establish or maintain the relationship and report immediately to the FIU as required. If continued CDD would tip off a suspected customer, stop that process and file the appropriate report.
What PEP controls apply?+
Determine whether the customer or beneficial owner is a PEP, obtain senior-management approval where required, establish source of wealth and funds or assets and apply increased monitoring. Cover family and close associates in the cases described by the RBZ guideline.
What automatic threshold reports apply to banks?+
Under FIU Directive 01/04/2024, bank CTR and EFT thresholds are ZiG 70,000 for local transactions or USD 5,000 equivalent for foreign-currency transactions; the IFT threshold is USD 5,000 equivalent. Weekly returns, including nil returns, are due on or before the second working day of the week.
What threshold report applies to NBFIs and DNFBPs?+
The same directive sets CTR thresholds at ZiG 70,000 for local transactions or USD 5,000 equivalent for foreign currency. Monthly CTR or nil returns are due on or before the tenth day.
How long are AML records kept?+
Generally at least five years: CDD and relationship records from the relationship end, transaction records from the transaction and STR material from the report. Detached intermediary wire data covered by section 27(8) is kept at least ten years.
What happens on a confirmed UN sanctions match?+
Freeze the covered funds, assets and economic resources without prior notice, immediately and no later than 24 hours; prevent funds or services being made available; and report through goAML immediately and no later than 24 hours. Assess an STR separately.
How often should sanctions screening run?+
Before onboarding or an occasional transaction and daily thereafter under the FIU's 2024 directive. RBZ-regulated institutions also maintain real-time screening for cross-border transactions.
Are virtual-asset service providers regulated?+
Yes. S.I. 99 of 2026 creates FIU registration, fitness, governance, AML, travel-rule, unhosted-wallet and recordkeeping requirements. A certificate is valid for one year unless earlier suspended, surrendered or revoked.
When does the VASP travel rule apply?+
The ordering VASP must obtain and hold prescribed originator and beneficiary information for all virtual-asset transfers and send it securely. CDD applies at USD 1,000 or more, and unhosted-wallet transfers above USD 1,000 require wallet-ownership proof.
Must a KYC provider obtain a POTRAZ data-controller licence?+
A person determining the purposes and means of processing or processing for commercial benefit falls within the 2024 licensing rules unless exempt. Confirm the appropriate licence tier with POTRAZ, appoint a DPO and maintain the required notifications.
What is required for biometric KYC?+
Biometric data generally requires written consent unless a statutory exception applies. Notify POTRAZ of biometric or genetic processing, minimise collection, secure the data and preserve the lawful-condition analysis and consent or exception evidence.
How quickly must a personal-data breach be notified?+
Notify POTRAZ within 24 hours of awareness. If the breach is likely to create high risk for individuals' rights and freedoms, inform those people within 72 hours. The controller also completes the investigation and report within 21 days from notification.
Can KYC data be hosted outside Zimbabwe?+
Only with the section 28 adequacy conditions or a section 29 transfer condition, plus the required POTRAZ notification and any current authorisation. Map every foreign hosting, support and access location before transfer.
Is Zimbabwe on the FATF grey list?+
No, not in the FATF public statements dated 19 June 2026. FATF removed Zimbabwe from increased monitoring in March 2022. Zimbabwe remains in ESAAMLG enhanced follow-up, which is a separate peer-review process.
منهجية البحث والمراجعة
تحدد VOVE ID Compliance Research النطاق التنظيمي، وتحول الالتزامات إلى ضوابط تشغيلية، وتربط الادعاءات الجوهرية بالمصادر، وتسجل تاريخ وإصدار كل مراجعة.
VOVE ID Compliance Research · تاريخ المراجعة 16 July 2026 · الإصدار 1.0
This checklist is general regulatory information, not legal advice or a licence determination. It reflects sources reviewed on 16 July 2026. Confirm current gazetted law, FIU directives, RBZ conditions, company-registry forms, data-controller licensing and reporting mechanics with Zimbabwean counsel and the competent authority before launch. Sector scope matters: bank-specific guidance, company-register thresholds, AML beneficial-ownership tests and VASP rules are not interchangeable. VOVE ID can support evidence collection, screening and audit trails, but the reporting entity remains responsible for customer acceptance, reporting, freezing and compliance decisions.