KYC, KYB & AML compliance checklist
Zimbabwe KYC, KYB & AML
A source-backed implementation checklist for customer and business verification in Zimbabwe. It incorporates the consolidated Money Laundering and Proceeds of Crime Act through Act 7 of 2025, the RBZ 2025 banking guideline, current FIU reporting and targeted-financial-sanctions directives, company beneficial-ownership filings, payment-system oversight, the June 2026 VASP registration regime and current privacy licensing and breach rules.
- Reviewed
- 16 July 2026
- Version
- 1.0
- control areas
- 11
- implementation checks
- 53
Direct answer
What does the Zimbabwe compliance checklist cover?
The Zimbabwe checklist translates primary KYC, KYB and AML rules into 11 control areas and 53 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Primary AML/CFT/CPF law
- Money Laundering and Proceeds of Crime Act [Chapter 9:24], consolidated through Act 7 of 2025
- Financial intelligence unit
- Financial Intelligence Unit of Zimbabwe (FIU)
- STR timing and channel
- Promptly and no later than three working days after suspicion; submit through goAML
- General occasional CDD trigger
- USD 5,000 or more, including linked transactions; suspicion and identity doubt override thresholds
- Wire CDD trigger
- USD 1,000 or more for domestic or international wires
- Core AML retention
- At least five years, with the event depending on the record class
- Company beneficial ownership
- More than 20% shares or voting rights, majority-director appointment/removal rights, or other significant influence or control; changes filed within seven days
- RBZ banking BO guide
- Identify and verify beneficial owners at 10% ownership and above, while also testing control
- Targeted financial sanctions
- Screen daily; freeze and report a confirmed match immediately and within 24 hours
- Data breach
- Notify POTRAZ within 24 hours; notify affected people within 72 hours where high risk
- VASP regime
- FIU registration under S.I. 99 of 2026; certificate valid one year; travel rule applies to all virtual-asset transfers
- FATF public lists
- Not listed in the public statements dated 19 June 2026; ESAAMLG enhanced follow-up continues
Implementation detail
Zimbabwe compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Scope, authorities and regulated activitiesResolve the legal entity, product, profession and supervisor perimeter before configuring controls or launching a service.4 items+
The AML/CFT/CPF regime covers financial institutions and designated non-financial businesses and professions, including the categories defined in the Act.
- Implementation action
- Map every entity, product, customer flow, profession, branch, agent and outsourced activity to its statutory category and competent supervisor.
- Evidence to retain
- Signed perimeter memorandum, entity-product matrix, licences and supervisor map.
- Primary citation
- Money Laundering and Proceeds of Crime Act [Chapter 9:24] (MLPC Act), ss. 2, 13 and First Schedule
The FIU administers the reporting framework, receives reports and may issue binding directives; sector supervisors retain their licensing and supervisory roles.
- Implementation action
- Assign authority contacts, goAML credentials, alternates, reporting ownership and a controlled regulatory calendar.
- Evidence to retain
- Authority map, FIU registration, goAML access register, appointments and reporting calendar.
- Primary citation
- MLPC Act, ss. 4-6G and 30; FIU legal-framework and directives pages
Retail payment, switching, mobile-money and related payment activity requires the applicable RBZ approval before operation; non-bank applicants follow the current partnership and submission conditions stated by RBZ.
- Implementation action
- Obtain an RBZ classification and every required approval before pilot or live launch, and track conditions, agents, settlement, interoperability and consumer-protection duties.
- Evidence to retain
- RBZ approval, classification, approved product map, conditions register, bank-partner agreement and agent inventory.
- Primary citation
- National Payment Systems Act [Chapter 24:23]; RBZ National Payment Systems approval requirements; S.I. 80 of 2020
A person providing virtual-asset services must be registered with the FIU under S.I. 99 of 2026; applicants must be Zimbabwe-incorporated or operate through a Zimbabwe subsidiary.
- Implementation action
- Do not offer exchange, transfer, custody, administration or issuer-related virtual-asset services until the FIU issues the applicable registration certificate and conditions.
- Evidence to retain
- VASP perimeter analysis, Zimbabwe incorporation, application pack, FIU certificate, conditions and renewal calendar.
- Primary citation
- MLPC Act, s. 2 definition of financial institution; S.I. 99 of 2026, ss. 4-9
02Governance, risk assessment and control ownershipUse documented ML, TF and proliferation-financing risk to design accountable, tested and resourced controls.4 items+
Reporting institutions assess and mitigate customer, country, product, service, transaction and delivery-channel ML/TF/PF risk and apply proportionate measures.
- Implementation action
- Maintain enterprise and customer-risk methodologies, data inputs, inherent and residual ratings, mitigants, overrides and approval.
- Evidence to retain
- Risk methodology, enterprise assessment, customer model, risk register, remediation plan and approval.
- Primary citation
- MLPC Act, s. 12B; RBZ AML/CFT/CPF Guideline, paras. 2.1-2.49
Banks and microfinance institutions under the RBZ guideline review their institutional risk assessment at least annually and assess new products and technologies before launch.
- Implementation action
- Set an annual review and a pre-launch gate covering AML/CFT/CPF, fraud, sanctions, cyber and privacy risk.
- Evidence to retain
- Annual assessment, product assessment, control sign-offs, test results and release decision.
- Primary citation
- RBZ AML/CFT/CPF Guideline, paras. 2.8-2.9 and 3.9-3.11
An AML/CFT/CPF programme includes policies and controls, employee screening, ongoing training, technology-misuse controls and independent audit.
- Implementation action
- Approve a complete programme, name control owners, resource independent testing and track corrective action to closure.
- Evidence to retain
- Board-approved policies, owner register, training, screening, audit plan, reports and remediation tracker.
- Primary citation
- MLPC Act, s. 25(1); RBZ AML/CFT/CPF Guideline, Part 3
A management-level compliance officer must oversee implementation and have ready access to books, records and employees.
- Implementation action
- Document appointment, authority, independence, information access, deputies and direct reporting to senior management and the board.
- Evidence to retain
- Appointment resolution, charter, access matrix, resource plan and governance reports.
- Primary citation
- MLPC Act, s. 25(2)-(3); RBZ AML/CFT/CPF Guideline, paras. 3.22-3.32
03Natural-person identification and CDDIdentify, verify and understand customers at every statutory trigger and before activation except for a narrow controlled timing exception.5 items+
CDD applies when establishing a relationship, at an occasional transaction of USD 5,000 or more including linked transactions, at a wire of USD 1,000 or more, whenever suspicion exists and whenever earlier identity evidence is doubtful.
- Implementation action
- Configure relationship, aggregation, wire, suspicion and identity-doubt triggers; never use a monetary threshold to suppress suspicion-driven CDD.
- Evidence to retain
- CDD trigger matrix, aggregation logic, configuration, test cases and exceptions.
- Primary citation
- MLPC Act, s. 15(1); RBZ AML/CFT/CPF Guideline, para. 3.36
Sector-specific triggers also apply: gaming operators at USD 3,000 and precious-stones or precious-metals dealers receiving currency at USD 15,000, subject to any current prescribed change.
- Implementation action
- Keep sector thresholds in a governed register and link each threshold to the correct activity and customer population.
- Evidence to retain
- Sector analysis, threshold register, configuration and periodic legal check.
- Primary citation
- MLPC Act, s. 15(2)
Natural-person identity is verified with an official identity document; the customer definition includes signatories, authorised persons and attempted actors.
- Implementation action
- Validate identity attributes and document authenticity, screen the person and separately verify every representative's authority.
- Evidence to retain
- Identity copy, authenticity result, source provenance, screening and mandate.
- Primary citation
- MLPC Act, ss. 13, 15 and 17; RBZ AML/CFT/CPF Guideline, paras. 3.34-3.50
CDD captures the purpose and intended nature of the relationship and enough information to understand the customer's business and expected activity.
- Implementation action
- Record products, volumes, values, counterparties, countries, source of funds where appropriate and an approved expected-activity baseline.
- Evidence to retain
- Customer profile, purpose statement, expected-activity baseline, source evidence and risk score.
- Primary citation
- MLPC Act, s. 17(e)-(f); RBZ AML/CFT/CPF Guideline, para. 3.49
Identity verification normally precedes the relationship; limited deferral is allowed only where delay is unavoidable for normal business and ML/TF/PF risk is adequately controlled.
- Implementation action
- Use a documented exception with restrictions, completion deadline and escalation; do not treat deferral as routine onboarding.
- Evidence to retain
- Exception approval, risk rationale, account restrictions, completion timestamp and overdue report.
- Primary citation
- MLPC Act, s. 16; RBZ AML/CFT/CPF Guideline, paras. 3.43-3.47
04KYB, registries and beneficial ownershipVerify legal existence, authority and the natural persons who ultimately own or control the entity; apply the threshold appropriate to the legal context.5 items+
Legal-person CDD covers name, address, directors, incorporation, legal form, binding authority, ownership and control.
- Implementation action
- Verify these from current registry, constitutional, licence, tax and mandate evidence; reconcile inconsistencies.
- Evidence to retain
- Registry extract, constitutive documents, licences, directors, mandate and discrepancy log.
- Primary citation
- MLPC Act, s. 17(b); RBZ Guideline, para. 3.49
AML CDD identifies the natural-person beneficial owner; 25% or more ownership or voting control is a deemed test, but other control still applies.
- Implementation action
- Trace all layers, calculate interests, identify the transaction beneficiary and test effective control.
- Evidence to retain
- Ownership chart, calculations, declarations, control analysis and verified BO files.
- Primary citation
- MLPC Act, ss. 13 and 15(2)-(3)
RBZ's 2025 guide directs banks and microfinance institutions to identify and verify BOs at 10% ownership and above, alongside control tests.
- Implementation action
- Configure the 10% floor for covered institutions and investigate control, nominees and higher-risk ownership.
- Evidence to retain
- Scope memo, configuration, ownership chart, control analysis and tests.
- Primary citation
- RBZ Guideline, paras. 2.21 and 3.37-3.42
Company-law BO means more than 20% of shares or votes, majority-director appointment or removal rights, or other significant influence or control.
- Implementation action
- Maintain the company's current BO register using every statutory limb, not shareholding alone.
- Evidence to retain
- Company BO register, identity and control evidence, resident custodian and review log.
- Primary citation
- Companies and Other Business Entities Act, ss. 2 and 72
A company files current BO information and any material change with the Registrar within seven days.
- Implementation action
- Use the current form and reconcile the company register, Registrar filing and AML CDD record.
- Evidence to retain
- Declaration, receipt, seven-day change log and reconciliation.
- Primary citation
- Companies and Other Business Entities Act, s. 72(2); S.I. 46/2020
05PEPs, enhanced due diligence and remote onboardingHigher-risk, politically exposed and non-face-to-face relationships require additional evidence, accountable approval and closer monitoring.5 items+
Systems must determine whether a customer or beneficial owner is a PEP and distinguish foreign PEPs from domestic or international-organisation PEPs according to risk.
- Implementation action
- Screen before activation and continuously, resolve matches with reliable role evidence and extend controls to required family members and close associates.
- Evidence to retain
- Screening result, role and relationship evidence, match decision, risk rationale and review log.
- Primary citation
- MLPC Act, ss. 13 and 20; RBZ AML/CFT/CPF Guideline, paras. 3.64-3.68
Applicable PEP relationships require senior-management approval, reasonable measures to establish source of wealth and source of funds or assets and increased ongoing monitoring.
- Implementation action
- Obtain and corroborate source evidence, record approval before starting or continuing the relationship and configure enhanced monitoring.
- Evidence to retain
- Source-of-wealth and source-of-funds file, approval, monitoring plan and reviews.
- Primary citation
- MLPC Act, s. 20; RBZ AML/CFT/CPF Guideline, para. 3.68
High-risk customers, products, services and situations receive enhanced measures; simplified measures are permitted only for substantiated low risk and do not remove CDD or monitoring.
- Implementation action
- Define risk-based standard, enhanced and simplified control sets, eligibility rules, prohibited overrides and review frequency.
- Evidence to retain
- Risk-control matrix, low-risk rationale, EDD file, approvals and override log.
- Primary citation
- MLPC Act, ss. 12B and 20; RBZ AML/CFT/CPF Guideline, paras. 3.71-3.76
Non-face-to-face business must use measures no less effective than in-person due diligence and address impersonation and document risk.
- Implementation action
- Use risk-based document integrity, liveness or presence, independent data, device and fraud checks and governed manual review.
- Evidence to retain
- Remote-onboarding standard, vendor assurance, test pack, fraud logs and exceptions.
- Primary citation
- MLPC Act, s. 19; RBZ AML/CFT/CPF Guideline, paras. 3.57-3.63
If required CDD cannot be completed, do not establish or maintain the relationship and report immediately to the FIU; avoid pursuing CDD where it would tip off a suspected customer.
- Implementation action
- Route failed or unsafe CDD to decline, restriction or exit and a confidential reporting decision without alerting the customer.
- Evidence to retain
- Failure reason, decline or exit, immediate report or STR decision, submission and restricted access log.
- Primary citation
- MLPC Act, ss. 22 and 31; RBZ AML/CFT/CPF Guideline, paras. 3.69-3.70 and 3.130
06Monitoring, suspicious reporting and confidentialityMonitor the relationship continuously and submit complete reports through the prescribed FIU channel on time.5 items+
Ongoing due diligence keeps customer and beneficial-owner data current and examines transactions against the known customer, activities and risk profile.
- Implementation action
- Configure risk-based refresh, event triggers and transaction monitoring and investigate material deviations from expected activity.
- Evidence to retain
- Refresh schedule, trigger log, monitoring scenarios, alerts, cases and updated CDD.
- Primary citation
- MLPC Act, s. 26; RBZ AML/CFT/CPF Guideline, paras. 2.47-2.51 and 3.71-3.78
Complex, unusual large or purposeless transactions and unusual patterns require special attention, written findings and retention.
- Implementation action
- Document background, purpose, actors, source and destination of funds, corroboration and the final reporting decision.
- Evidence to retain
- Enhanced-review memorandum, transaction data, supporting evidence, decision and reviewer sign-off.
- Primary citation
- MLPC Act, ss. 24 and 26(2)
A financial institution, DNFBP and covered officers or agents report property, a transaction or an attempted transaction suspected or reasonably suspected to involve crime, terrorism, terrorist financing or proliferation.
- Implementation action
- Escalate immediately, preserve the suspicion timestamp and submit a complete STR to the FIU through goAML.
- Evidence to retain
- Internal report, analysis, STR, goAML receipt, case timeline and any supplement.
- Primary citation
- MLPC Act, s. 30(1); RBZ AML/CFT/CPF Guideline, paras. 3.104-3.110
An STR is due promptly and no later than three working days after suspicion is formed; attempted transactions are reportable.
- Implementation action
- Use a shorter internal SLA that leaves time for review and measure from the documented point at which suspicion was formed.
- Evidence to retain
- Suspicion timestamp, internal SLA, approval, submission timestamp and overdue report.
- Primary citation
- MLPC Act, s. 30(1); RBZ AML/CFT/CPF Guideline, paras. 3.105-3.108
Tipping off is prohibited and reporting information is protected; secrecy duties do not block statutory reporting.
- Implementation action
- Restrict STR access, suppress customer-facing indicators, train staff and separate lawful information requests from prohibited disclosure.
- Evidence to retain
- Access matrix, immutable case log, training, communications controls and access review.
- Primary citation
- MLPC Act, ss. 31-33; RBZ AML/CFT/CPF Guideline, paras. 3.126-3.132
07Payments, wires, threshold reports and virtual assetsKeep CDD triggers, automatic threshold reports, wire data and virtual-asset travel-rule controls distinct.6 items+
Qualifying wires carry accurate originator and beneficiary data; incomplete transfers require risk-based repair, rejection or suspension.
- Implementation action
- Validate fields before execution, retain data across the chain and govern missing-data decisions.
- Evidence to retain
- Field specification, rules, repair/reject queue, samples and logs.
- Primary citation
- MLPC Act, s. 27; RBZ Guideline, paras. 3.143-3.156
For banks, Directive 01/04/2024 sets CTR/EFT thresholds at ZiG 70,000 local or USD 5,000 equivalent foreign currency, and IFT at USD 5,000 equivalent.
- Implementation action
- Configure separate report types and currency rules and re-check the FIU for changes.
- Evidence to retain
- Threshold register, system and currency rules, tests and dated check.
- Primary citation
- FIU Directive 01/04/2024, para. 2.1
Banks submit weekly threshold and nil returns on or before the second working day of the week.
- Implementation action
- Reconcile, approve and submit each CTR, EFT and IFT return through goAML on time.
- Evidence to retain
- Reconciliation, return, approval, receipt and overdue log.
- Primary citation
- FIU Directive 01/04/2024, para. 2.2
NBFIs and DNFBPs submit CTR or nil returns at ZiG 70,000 local or USD 5,000 equivalent foreign currency monthly by the tenth day.
- Implementation action
- Confirm scope, reconcile the monthly return and retain the goAML acknowledgement.
- Evidence to retain
- Scope, configuration, return, reconciliation and receipt.
- Primary citation
- FIU Directive 01/04/2024, paras. 3.1-3.2
A suspicious threshold transaction requires separate STR and threshold reports.
- Implementation action
- Link but do not merge the cases; preserve separate grounds, reports and receipts.
- Evidence to retain
- Linked IDs, STR, threshold return, receipts and decision.
- Primary citation
- RBZ Guideline, paras. 3.133-3.135
S.I. 99/2026 applies travel data to all virtual-asset transfers, CDD at USD 1,000 or more and wallet-ownership proof above USD 1,000 for unhosted wallets.
- Implementation action
- Verify and transmit travel data, detect missing fields, prove wallet control and monitor risk.
- Evidence to retain
- Travel messages, KYC, wallet proof, decision and monitoring.
- Primary citation
- S.I. 99/2026, ss. 17-21
08Targeted financial sanctionsUse current UN lists and FIU instructions to identify, freeze and report designated assets without prior notice.4 items+
FIs, DNFBPs and other natural and legal persons apply Zimbabwe's UN targeted-financial-sanctions framework for terrorism and proliferation financing.
- Implementation action
- Maintain a legal list inventory, FIU/goAML registration, accountable sanctions owner and procedures for designation, delisting and false positives.
- Evidence to retain
- List inventory, subscriptions, procedure, role assignment and change log.
- Primary citation
- S.I. 76 of 2014; S.I. 110 of 2021; FIU CFT/CPF Directive PFIU3/09/24
Screen existing and potential customers, beneficial owners, transaction parties, directors and agents before onboarding or an occasional transaction and thereafter daily.
- Implementation action
- Run daily list updates and rescreening, pre-transaction checks and real-time cross-border payment screening where applicable.
- Evidence to retain
- List versions, screening timestamps, population reconciliation, alerts and match decisions.
- Primary citation
- FIU CFT/CPF Directive PFIU3/09/24, Part 3; RBZ AML/CFT/CPF Guideline, paras. 3.79-3.83
A confirmed match triggers freezing without delay, immediately and in any case within 24 hours, without prior notice, plus a prohibition on funds, assets, services or economic resources being made available.
- Implementation action
- Block accounts, transactions and services, identify all directly or indirectly owned or controlled assets and prevent movement until lawful release.
- Evidence to retain
- Match validation, freeze timestamp, asset inventory, transaction blocks, access log and release authority.
- Primary citation
- FIU CFT/CPF Directive PFIU3/09/24, Part 3; S.I. 76 of 2014; S.I. 110 of 2021
A confirmed match and action taken are reported to the FIU through goAML immediately and no later than 24 hours; a nil return is submitted when an FIU list update yields no match.
- Implementation action
- Submit the designated-person and asset particulars and action taken, file any required nil return and assess an STR separately where TF or PF is suspected.
- Evidence to retain
- GoAML sanctions report, receipt, nil return, STR decision and linked case record.
- Primary citation
- FIU CFT/CPF Directive PFIU3/09/24, Reporting; RBZ AML/CFT/CPF Guideline, paras. 4.11-4.17
09Records, confidentiality and regulator accessRetain reconstructable records for the correct event-based period and make them available promptly to authorised authorities.4 items+
CDD files, account records and business correspondence are retained for at least five years after the relationship ends; transaction records are retained for at least five years from the transaction.
- Implementation action
- Map every record class to the correct start event, legal hold, access rule and deletion control.
- Evidence to retain
- Retention schedule, lifecycle configuration, legal-hold procedure, archive and deletion test.
- Primary citation
- MLPC Act, s. 24(2)(a)-(b)
Written findings for complex or unusual activity and copies of STRs and supporting material are retained for at least five years from the transaction or report, as applicable.
- Implementation action
- Store analysis and reports in a restricted archive linked to the relevant customer and transaction without exposing the filing.
- Evidence to retain
- Restricted case archive, linkage, retention configuration and access review.
- Primary citation
- MLPC Act, s. 24(2)(c)-(d); RBZ AML/CFT/CPF Guideline, paras. 3.138-3.142
Where a technical limitation separates required cross-border wire data from the related domestic transfer, the intermediary institution keeps the received information for at least ten years.
- Implementation action
- Preserve detached wire data with a reliable transaction link and test complete reconstruction.
- Evidence to retain
- Wire archive, linkage key, ten-year rule, retrieval and reconstruction test.
- Primary citation
- MLPC Act, s. 27(8)
Records and underlying information must be available on a timely basis to the FIU and authorised competent authorities; third-party reliance does not transfer responsibility.
- Implementation action
- Authenticate requests, apply least-privilege disclosure, retrieve promptly and log the response and chain of custody.
- Evidence to retain
- Request register, authentication, response package, access log and retrieval test.
- Primary citation
- MLPC Act, ss. 18 and 24; RBZ AML/CFT/CPF Guideline, para. 3.142
10Privacy, biometrics and international transfersAML necessity does not remove data-protection duties. Identity and biometric processing require lawful purpose, licensing, security, rights and transfer controls.7 items+
A person deciding the means, purpose or outcome of personal-data processing, the data collected or the people concerned, or processing for commercial benefit must apply for the applicable POTRAZ data-controller licence unless exempt.
- Implementation action
- Classify the controller, confirm the correct tier with POTRAZ, obtain the licence and renew it at least three months before its 12-month expiry.
- Evidence to retain
- Applicability analysis, DP1 application, licence, tier confirmation, fees and renewal calendar.
- Primary citation
- Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (S.I. 155 of 2024), ss. 3-8
A data controller appoints a qualified and certified DPO and notifies POTRAZ; DPO contact changes and termination are notified within 14 days and a replacement is appointed within 90 days.
- Implementation action
- Appoint an independent DPO, file Form DP2, publish contact routes and maintain succession and notification triggers.
- Evidence to retain
- Appointment, certification, DP2, POTRAZ receipt, contact notice and succession calendar.
- Primary citation
- S.I. 155 of 2024, ss. 12-14
Processing must be necessary, fair, lawful, purpose-limited, accurate, minimised and retained no longer than necessary; data subjects have information, access, objection, correction and deletion rights.
- Implementation action
- Maintain notices, purpose and basis records, data inventory, minimisation and retention rules and a tested rights-request workflow.
- Evidence to retain
- Privacy notice, processing inventory, lawful-basis register, retention schedule, rights log and responses.
- Primary citation
- Cyber and Data Protection Act [Chapter 12:07], ss. 7-14
Genetic, biometric and health data generally require written consent unless a statutory exception applies; POTRAZ must also be notified of biometric or genetic processing.
- Implementation action
- Document the lawful condition, collect and preserve written consent where relied on, offer withdrawal mechanics and notify POTRAZ before production.
- Evidence to retain
- Biometric assessment, written consent or exception memo, POTRAZ notice, withdrawal log and access controls.
- Primary citation
- Cyber and Data Protection Act, ss. 11-12; S.I. 155 of 2024, s. 10(2)(d)
Controllers and processors use appropriate technical and organisational security and a written processing agreement; a personal-data breach is notified to POTRAZ within 24 hours of awareness.
- Implementation action
- Contract processors, test security and incident response, use Form DP3 and preserve a complete breach record and investigation.
- Evidence to retain
- Processor agreement, security assessment, incident log, DP3, POTRAZ receipt and investigation report.
- Primary citation
- Cyber and Data Protection Act, ss. 18-19; S.I. 155 of 2024, ss. 16-17
Where a breach is likely to create high risk for individual rights and freedoms, affected data subjects are informed within 72 hours; the controller responds to authority requests within 14 days and concludes and reports its investigation within 21 days from notification.
- Implementation action
- Classify breach risk, prepare individual notice, track authority questions and complete the investigation and final report on the statutory clocks.
- Evidence to retain
- Risk assessment, individual notice, delivery proof, authority responses, investigation and final report.
- Primary citation
- S.I. 155 of 2024, s. 17(3)-(5)
Foreign transfers require adequate protection or a statutory section 29 condition; S.I. 155 also requires notification to POTRAZ of intended foreign transfer or sharing.
- Implementation action
- Map hosting and support locations, assess adequacy or the transfer condition, notify POTRAZ and obtain any current required authorisation before transfer.
- Evidence to retain
- Transfer map, assessment, contracts, POTRAZ notification or authorisation, security controls and review.
- Primary citation
- Cyber and Data Protection Act, ss. 28-29; S.I. 155 of 2024, s. 10(2)(c)
11Implementation and audit evidence packA defensible programme links every legal claim to configuration, ownership, dated sources, testing and a controlled residual-risk decision.4 items+
A pre-launch gate covers perimeter, licensing, CDD, beneficial ownership, PEPs, monitoring, reporting, sanctions, records, privacy, payments and virtual assets.
- Implementation action
- Block production until accountable owners approve control design and every material gap has a closed remediation or explicit lawful launch condition.
- Evidence to retain
- Launch checklist, approvals, test pack, gap register and release decision.
- Primary citation
- MLPC Act; applicable FIU, RBZ, company, VASP and data-protection instruments
Agents, outsourced KYC providers, cloud services, processors and other vendors do not remove the regulated entity's accountability.
- Implementation action
- Assess providers, contract evidence access, audit, security and confidentiality, monitor performance, test retrieval and maintain an exit plan.
- Evidence to retain
- Due-diligence file, contract, audit and access test, monitoring reports, issues and exit plan.
- Primary citation
- MLPC Act, s. 18; S.I. 155 of 2024, s. 10(4)(f); RBZ NPS approval requirements
Thresholds, FATF lists, UN designations, FIU directives, RBZ conditions, VASP registration and privacy forms can change.
- Implementation action
- Assign owners to monitor official FIU, RBZ, Companies Office, POTRAZ, Gazette, FATF and ESAAMLG sources and assess every change against systems and existing customers.
- Evidence to retain
- Legal inventory, source log, change assessment, implementation ticket and approval.
- Primary citation
- Official authority and international publications listed in Sources
Independent assurance tests the complete customer lifecycle and preserves why each production rule is configured as it is.
- Implementation action
- Sample onboarding, ownership, PEP, sanctions, thresholds, wires, STRs, privacy, access and retention; report findings and verify closure.
- Evidence to retain
- Control-to-law map, monitoring plan, audit report, issue register, closure evidence and release history.
- Primary citation
- MLPC Act, s. 25(1)(e); RBZ AML/CFT/CPF Guideline, paras. 3.98-3.103

11 control areas and 53 implementation checks, with direct regulatory sources.
Download the Zimbabwe KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Zimbabwe implementation checklist. Regulatory review date: 16 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.0, reviewed 16 July 2026
Trusted by leading compliance teams
Primary-source register
27 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Money Laundering and Proceeds of Crime Act [Chapter 9:24], updated through Act 7 of 2025Financial Intelligence Unit of Zimbabwe · Primary legislation
- Zimbabwe AML/CFT legal frameworkFinancial Intelligence Unit of Zimbabwe · Official legal-framework register
- FIU directives registerFinancial Intelligence Unit of Zimbabwe · Official directives register
- Revised thresholds for CTRs, EFTs and IFTs, Directive 01/04/2024Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- Targeted-financial-sanctions Directive PFIU3/09/24Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- High-risk and increased-monitoring jurisdictions Directive PFIU17/02/2026Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- FIU guidelines registerFinancial Intelligence Unit of Zimbabwe · Official guidance register
- goAML reporting portalFinancial Intelligence Unit of Zimbabwe · Official reporting platform
- Inspection notice on goAML registration and CTR submissions, 8 May 2025Financial Intelligence Unit of Zimbabwe · Official compliance notice
- AML/CFT/CPF Guideline, June 2025Reserve Bank of Zimbabwe · Binding sector guideline
- RBZ National Payment Systems legal basisReserve Bank of Zimbabwe · Official regulator guidance
- RBZ retail payment-system approval requirementsReserve Bank of Zimbabwe · Official licensing requirements
- National Payment Systems guidelines, directives and circularsReserve Bank of Zimbabwe · Official sector register
- Banking (Money Transmission, Mobile Banking and Mobile Money Interoperability) Regulations, 2020Reserve Bank of Zimbabwe · Primary sector regulation
- Guidelines for QR Code Payments in Zimbabwe, March 2026Reserve Bank of Zimbabwe · Current sector guideline
- Money Laundering and Proceeds of Crime (Virtual Asset Service Providers Registration) Regulations, 2026Financial Intelligence Unit of Zimbabwe · Primary sector regulation
- Companies and Other Business Entities Act [Chapter 24:31]Zimbabwe Legal Information Institute · Primary legislation
- Companies and Other Business Entities (Pre-Formation and Post-Formation Formalities) Regulations, 2020Zimbabwe Investment and Development Agency eRegulations · Primary regulation and forms
- Cyber and Data Protection Act [Chapter 12:07]Ministry of Information Communication Technology, Postal and Courier Services · Primary legislation
- Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024POTRAZ · Primary regulation
- Data Controller Licence Application Form DP1POTRAZ Data Protection Authority · Official form
- FATF jurisdictions under increased monitoring, 19 June 2026FATF · Official international status statement
- FATF high-risk jurisdictions subject to a call for action, 19 June 2026FATF · Official international status statement
- FATF Plenary outcome removing Zimbabwe from increased monitoring, March 2022FATF · Official international status statement
- Zimbabwe follow-up report, April 2024FATF / ESAAMLG · Official peer-review status
- Zimbabwe country and mutual-evaluation pageESAAMLG · Official regional assessment register
- UN Security Council consolidated sanctions listUnited Nations · Official sanctions list
Direct answers
Zimbabwe KYC, KYB and AML questions
What is Zimbabwe's principal AML/CFT/CPF law?+
The Money Laundering and Proceeds of Crime Act [Chapter 9:24]. The FIU's current consolidated copy includes amendments through Act 7 of 2025, including virtual-asset and proliferation-financing changes.
Who receives suspicious transaction reports?+
The Financial Intelligence Unit of Zimbabwe. Reporting institutions use the FIU's goAML platform.
When is an STR due?+
Promptly and no later than three working days after suspicion is formed. Attempted transactions are included.
Does an amount have to be reached before filing an STR?+
No. Suspicion reporting is independent of value. A transaction can require both an STR and a separate threshold report.
What is the general occasional-transaction CDD threshold?+
USD 5,000 or more, including linked transactions, for the general statutory trigger. Suspicion or doubt about earlier identity evidence triggers CDD regardless of value, and sector-specific thresholds also exist.
What is the wire-transfer CDD threshold?+
USD 1,000 or more for a domestic or international wire, subject to any later prescribed change.
Which company beneficial-owner threshold applies?+
Company law uses more than 20% of shares or voting rights, majority-director appointment or removal rights, or other significant influence or control. The company must file material changes within seven days.
Why does the guide also mention 25% and 10%?+
They belong to different rules. The AML Act contains a 25%-or-more deemed ownership test, while the June 2025 RBZ guideline directs banks and microfinance institutions to identify and verify beneficial owners at 10% ownership and above. Control must still be assessed.
Can a registry extract replace independent KYB?+
No. Verify legal existence, authority, directors, licences, tax and ownership evidence and reconcile discrepancies. Trace ownership and control to natural persons.
What happens if CDD cannot be completed?+
Do not establish or maintain the relationship and report immediately to the FIU as required. If continued CDD would tip off a suspected customer, stop that process and file the appropriate report.
What PEP controls apply?+
Determine whether the customer or beneficial owner is a PEP, obtain senior-management approval where required, establish source of wealth and funds or assets and apply increased monitoring. Cover family and close associates in the cases described by the RBZ guideline.
What automatic threshold reports apply to banks?+
Under FIU Directive 01/04/2024, bank CTR and EFT thresholds are ZiG 70,000 for local transactions or USD 5,000 equivalent for foreign-currency transactions; the IFT threshold is USD 5,000 equivalent. Weekly returns, including nil returns, are due on or before the second working day of the week.
What threshold report applies to NBFIs and DNFBPs?+
The same directive sets CTR thresholds at ZiG 70,000 for local transactions or USD 5,000 equivalent for foreign currency. Monthly CTR or nil returns are due on or before the tenth day.
How long are AML records kept?+
Generally at least five years: CDD and relationship records from the relationship end, transaction records from the transaction and STR material from the report. Detached intermediary wire data covered by section 27(8) is kept at least ten years.
What happens on a confirmed UN sanctions match?+
Freeze the covered funds, assets and economic resources without prior notice, immediately and no later than 24 hours; prevent funds or services being made available; and report through goAML immediately and no later than 24 hours. Assess an STR separately.
How often should sanctions screening run?+
Before onboarding or an occasional transaction and daily thereafter under the FIU's 2024 directive. RBZ-regulated institutions also maintain real-time screening for cross-border transactions.
Are virtual-asset service providers regulated?+
Yes. S.I. 99 of 2026 creates FIU registration, fitness, governance, AML, travel-rule, unhosted-wallet and recordkeeping requirements. A certificate is valid for one year unless earlier suspended, surrendered or revoked.
When does the VASP travel rule apply?+
The ordering VASP must obtain and hold prescribed originator and beneficiary information for all virtual-asset transfers and send it securely. CDD applies at USD 1,000 or more, and unhosted-wallet transfers above USD 1,000 require wallet-ownership proof.
Must a KYC provider obtain a POTRAZ data-controller licence?+
A person determining the purposes and means of processing or processing for commercial benefit falls within the 2024 licensing rules unless exempt. Confirm the appropriate licence tier with POTRAZ, appoint a DPO and maintain the required notifications.
What is required for biometric KYC?+
Biometric data generally requires written consent unless a statutory exception applies. Notify POTRAZ of biometric or genetic processing, minimise collection, secure the data and preserve the lawful-condition analysis and consent or exception evidence.
How quickly must a personal-data breach be notified?+
Notify POTRAZ within 24 hours of awareness. If the breach is likely to create high risk for individuals' rights and freedoms, inform those people within 72 hours. The controller also completes the investigation and report within 21 days from notification.
Can KYC data be hosted outside Zimbabwe?+
Only with the section 28 adequacy conditions or a section 29 transfer condition, plus the required POTRAZ notification and any current authorisation. Map every foreign hosting, support and access location before transfer.
Is Zimbabwe on the FATF grey list?+
No, not in the FATF public statements dated 19 June 2026. FATF removed Zimbabwe from increased monitoring in March 2022. Zimbabwe remains in ESAAMLG enhanced follow-up, which is a separate peer-review process.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 16 July 2026 · Version 1.0
This checklist is general regulatory information, not legal advice or a licence determination. It reflects sources reviewed on 16 July 2026. Confirm current gazetted law, FIU directives, RBZ conditions, company-registry forms, data-controller licensing and reporting mechanics with Zimbabwean counsel and the competent authority before launch. Sector scope matters: bank-specific guidance, company-register thresholds, AML beneficial-ownership tests and VASP rules are not interchangeable. VOVE ID can support evidence collection, screening and audit trails, but the reporting entity remains responsible for customer acceptance, reporting, freezing and compliance decisions.