Checklist de conformité KYC, KYB et AML
Zimbabwe KYC, KYB & AML
A source-backed implementation checklist for customer and business verification in Zimbabwe. It incorporates the consolidated Money Laundering and Proceeds of Crime Act through Act 7 of 2025, the RBZ 2025 banking guideline, current FIU reporting and targeted-financial-sanctions directives, company beneficial-ownership filings, payment-system oversight, the June 2026 VASP registration regime and current privacy licensing and breach rules.
- Revue le
- 16 July 2026
- Version
- 1.0
- domaines de contrôle
- 11
- contrôles d’implémentation
- 53
Réponse directe
Que couvre la checklist de conformité pour Zimbabwe ?
La checklist pour Zimbabwe traduit les principales règles KYC, KYB et AML en 11 domaines de contrôle et 53 contrôles d’implémentation, avec les autorités, obligations de déclaration et preuves à conserver.
Faits réglementaires clés
- Primary AML/CFT/CPF law
- Money Laundering and Proceeds of Crime Act [Chapter 9:24], consolidated through Act 7 of 2025
- Financial intelligence unit
- Financial Intelligence Unit of Zimbabwe (FIU)
- STR timing and channel
- Promptly and no later than three working days after suspicion; submit through goAML
- General occasional CDD trigger
- USD 5,000 or more, including linked transactions; suspicion and identity doubt override thresholds
- Wire CDD trigger
- USD 1,000 or more for domestic or international wires
- Core AML retention
- At least five years, with the event depending on the record class
- Company beneficial ownership
- More than 20% shares or voting rights, majority-director appointment/removal rights, or other significant influence or control; changes filed within seven days
- RBZ banking BO guide
- Identify and verify beneficial owners at 10% ownership and above, while also testing control
- Targeted financial sanctions
- Screen daily; freeze and report a confirmed match immediately and within 24 hours
- Data breach
- Notify POTRAZ within 24 hours; notify affected people within 72 hours where high risk
- VASP regime
- FIU registration under S.I. 99 of 2026; certificate valid one year; travel rule applies to all virtual-asset transfers
- FATF public lists
- Not listed in the public statements dated 19 June 2026; ESAAMLG enhanced follow-up continues
Détail d’implémentation
Exigences et actions de conformité pour Zimbabwe
Ouvrez chaque domaine pour consulter l’exigence, l’action recommandée, les preuves à conserver et la source primaire utilisée.
01Scope, authorities and regulated activitiesResolve the legal entity, product, profession and supervisor perimeter before configuring controls or launching a service.4 éléments+
The AML/CFT/CPF regime covers financial institutions and designated non-financial businesses and professions, including the categories defined in the Act.
- Action d’implémentation
- Map every entity, product, customer flow, profession, branch, agent and outsourced activity to its statutory category and competent supervisor.
- Preuves à conserver
- Signed perimeter memorandum, entity-product matrix, licences and supervisor map.
- Source primaire
- Money Laundering and Proceeds of Crime Act [Chapter 9:24] (MLPC Act), ss. 2, 13 and First Schedule
The FIU administers the reporting framework, receives reports and may issue binding directives; sector supervisors retain their licensing and supervisory roles.
- Action d’implémentation
- Assign authority contacts, goAML credentials, alternates, reporting ownership and a controlled regulatory calendar.
- Preuves à conserver
- Authority map, FIU registration, goAML access register, appointments and reporting calendar.
- Source primaire
- MLPC Act, ss. 4-6G and 30; FIU legal-framework and directives pages
Retail payment, switching, mobile-money and related payment activity requires the applicable RBZ approval before operation; non-bank applicants follow the current partnership and submission conditions stated by RBZ.
- Action d’implémentation
- Obtain an RBZ classification and every required approval before pilot or live launch, and track conditions, agents, settlement, interoperability and consumer-protection duties.
- Preuves à conserver
- RBZ approval, classification, approved product map, conditions register, bank-partner agreement and agent inventory.
- Source primaire
- National Payment Systems Act [Chapter 24:23]; RBZ National Payment Systems approval requirements; S.I. 80 of 2020
A person providing virtual-asset services must be registered with the FIU under S.I. 99 of 2026; applicants must be Zimbabwe-incorporated or operate through a Zimbabwe subsidiary.
- Action d’implémentation
- Do not offer exchange, transfer, custody, administration or issuer-related virtual-asset services until the FIU issues the applicable registration certificate and conditions.
- Preuves à conserver
- VASP perimeter analysis, Zimbabwe incorporation, application pack, FIU certificate, conditions and renewal calendar.
- Source primaire
- MLPC Act, s. 2 definition of financial institution; S.I. 99 of 2026, ss. 4-9
02Governance, risk assessment and control ownershipUse documented ML, TF and proliferation-financing risk to design accountable, tested and resourced controls.4 éléments+
Reporting institutions assess and mitigate customer, country, product, service, transaction and delivery-channel ML/TF/PF risk and apply proportionate measures.
- Action d’implémentation
- Maintain enterprise and customer-risk methodologies, data inputs, inherent and residual ratings, mitigants, overrides and approval.
- Preuves à conserver
- Risk methodology, enterprise assessment, customer model, risk register, remediation plan and approval.
- Source primaire
- MLPC Act, s. 12B; RBZ AML/CFT/CPF Guideline, paras. 2.1-2.49
Banks and microfinance institutions under the RBZ guideline review their institutional risk assessment at least annually and assess new products and technologies before launch.
- Action d’implémentation
- Set an annual review and a pre-launch gate covering AML/CFT/CPF, fraud, sanctions, cyber and privacy risk.
- Preuves à conserver
- Annual assessment, product assessment, control sign-offs, test results and release decision.
- Source primaire
- RBZ AML/CFT/CPF Guideline, paras. 2.8-2.9 and 3.9-3.11
An AML/CFT/CPF programme includes policies and controls, employee screening, ongoing training, technology-misuse controls and independent audit.
- Action d’implémentation
- Approve a complete programme, name control owners, resource independent testing and track corrective action to closure.
- Preuves à conserver
- Board-approved policies, owner register, training, screening, audit plan, reports and remediation tracker.
- Source primaire
- MLPC Act, s. 25(1); RBZ AML/CFT/CPF Guideline, Part 3
A management-level compliance officer must oversee implementation and have ready access to books, records and employees.
- Action d’implémentation
- Document appointment, authority, independence, information access, deputies and direct reporting to senior management and the board.
- Preuves à conserver
- Appointment resolution, charter, access matrix, resource plan and governance reports.
- Source primaire
- MLPC Act, s. 25(2)-(3); RBZ AML/CFT/CPF Guideline, paras. 3.22-3.32
03Natural-person identification and CDDIdentify, verify and understand customers at every statutory trigger and before activation except for a narrow controlled timing exception.5 éléments+
CDD applies when establishing a relationship, at an occasional transaction of USD 5,000 or more including linked transactions, at a wire of USD 1,000 or more, whenever suspicion exists and whenever earlier identity evidence is doubtful.
- Action d’implémentation
- Configure relationship, aggregation, wire, suspicion and identity-doubt triggers; never use a monetary threshold to suppress suspicion-driven CDD.
- Preuves à conserver
- CDD trigger matrix, aggregation logic, configuration, test cases and exceptions.
- Source primaire
- MLPC Act, s. 15(1); RBZ AML/CFT/CPF Guideline, para. 3.36
Sector-specific triggers also apply: gaming operators at USD 3,000 and precious-stones or precious-metals dealers receiving currency at USD 15,000, subject to any current prescribed change.
- Action d’implémentation
- Keep sector thresholds in a governed register and link each threshold to the correct activity and customer population.
- Preuves à conserver
- Sector analysis, threshold register, configuration and periodic legal check.
- Source primaire
- MLPC Act, s. 15(2)
Natural-person identity is verified with an official identity document; the customer definition includes signatories, authorised persons and attempted actors.
- Action d’implémentation
- Validate identity attributes and document authenticity, screen the person and separately verify every representative's authority.
- Preuves à conserver
- Identity copy, authenticity result, source provenance, screening and mandate.
- Source primaire
- MLPC Act, ss. 13, 15 and 17; RBZ AML/CFT/CPF Guideline, paras. 3.34-3.50
CDD captures the purpose and intended nature of the relationship and enough information to understand the customer's business and expected activity.
- Action d’implémentation
- Record products, volumes, values, counterparties, countries, source of funds where appropriate and an approved expected-activity baseline.
- Preuves à conserver
- Customer profile, purpose statement, expected-activity baseline, source evidence and risk score.
- Source primaire
- MLPC Act, s. 17(e)-(f); RBZ AML/CFT/CPF Guideline, para. 3.49
Identity verification normally precedes the relationship; limited deferral is allowed only where delay is unavoidable for normal business and ML/TF/PF risk is adequately controlled.
- Action d’implémentation
- Use a documented exception with restrictions, completion deadline and escalation; do not treat deferral as routine onboarding.
- Preuves à conserver
- Exception approval, risk rationale, account restrictions, completion timestamp and overdue report.
- Source primaire
- MLPC Act, s. 16; RBZ AML/CFT/CPF Guideline, paras. 3.43-3.47
04KYB, registries and beneficial ownershipVerify legal existence, authority and the natural persons who ultimately own or control the entity; apply the threshold appropriate to the legal context.5 éléments+
Legal-person CDD covers name, address, directors, incorporation, legal form, binding authority, ownership and control.
- Action d’implémentation
- Verify these from current registry, constitutional, licence, tax and mandate evidence; reconcile inconsistencies.
- Preuves à conserver
- Registry extract, constitutive documents, licences, directors, mandate and discrepancy log.
- Source primaire
- MLPC Act, s. 17(b); RBZ Guideline, para. 3.49
AML CDD identifies the natural-person beneficial owner; 25% or more ownership or voting control is a deemed test, but other control still applies.
- Action d’implémentation
- Trace all layers, calculate interests, identify the transaction beneficiary and test effective control.
- Preuves à conserver
- Ownership chart, calculations, declarations, control analysis and verified BO files.
- Source primaire
- MLPC Act, ss. 13 and 15(2)-(3)
RBZ's 2025 guide directs banks and microfinance institutions to identify and verify BOs at 10% ownership and above, alongside control tests.
- Action d’implémentation
- Configure the 10% floor for covered institutions and investigate control, nominees and higher-risk ownership.
- Preuves à conserver
- Scope memo, configuration, ownership chart, control analysis and tests.
- Source primaire
- RBZ Guideline, paras. 2.21 and 3.37-3.42
Company-law BO means more than 20% of shares or votes, majority-director appointment or removal rights, or other significant influence or control.
- Action d’implémentation
- Maintain the company's current BO register using every statutory limb, not shareholding alone.
- Preuves à conserver
- Company BO register, identity and control evidence, resident custodian and review log.
- Source primaire
- Companies and Other Business Entities Act, ss. 2 and 72
A company files current BO information and any material change with the Registrar within seven days.
- Action d’implémentation
- Use the current form and reconcile the company register, Registrar filing and AML CDD record.
- Preuves à conserver
- Declaration, receipt, seven-day change log and reconciliation.
- Source primaire
- Companies and Other Business Entities Act, s. 72(2); S.I. 46/2020
05PEPs, enhanced due diligence and remote onboardingHigher-risk, politically exposed and non-face-to-face relationships require additional evidence, accountable approval and closer monitoring.5 éléments+
Systems must determine whether a customer or beneficial owner is a PEP and distinguish foreign PEPs from domestic or international-organisation PEPs according to risk.
- Action d’implémentation
- Screen before activation and continuously, resolve matches with reliable role evidence and extend controls to required family members and close associates.
- Preuves à conserver
- Screening result, role and relationship evidence, match decision, risk rationale and review log.
- Source primaire
- MLPC Act, ss. 13 and 20; RBZ AML/CFT/CPF Guideline, paras. 3.64-3.68
Applicable PEP relationships require senior-management approval, reasonable measures to establish source of wealth and source of funds or assets and increased ongoing monitoring.
- Action d’implémentation
- Obtain and corroborate source evidence, record approval before starting or continuing the relationship and configure enhanced monitoring.
- Preuves à conserver
- Source-of-wealth and source-of-funds file, approval, monitoring plan and reviews.
- Source primaire
- MLPC Act, s. 20; RBZ AML/CFT/CPF Guideline, para. 3.68
High-risk customers, products, services and situations receive enhanced measures; simplified measures are permitted only for substantiated low risk and do not remove CDD or monitoring.
- Action d’implémentation
- Define risk-based standard, enhanced and simplified control sets, eligibility rules, prohibited overrides and review frequency.
- Preuves à conserver
- Risk-control matrix, low-risk rationale, EDD file, approvals and override log.
- Source primaire
- MLPC Act, ss. 12B and 20; RBZ AML/CFT/CPF Guideline, paras. 3.71-3.76
Non-face-to-face business must use measures no less effective than in-person due diligence and address impersonation and document risk.
- Action d’implémentation
- Use risk-based document integrity, liveness or presence, independent data, device and fraud checks and governed manual review.
- Preuves à conserver
- Remote-onboarding standard, vendor assurance, test pack, fraud logs and exceptions.
- Source primaire
- MLPC Act, s. 19; RBZ AML/CFT/CPF Guideline, paras. 3.57-3.63
If required CDD cannot be completed, do not establish or maintain the relationship and report immediately to the FIU; avoid pursuing CDD where it would tip off a suspected customer.
- Action d’implémentation
- Route failed or unsafe CDD to decline, restriction or exit and a confidential reporting decision without alerting the customer.
- Preuves à conserver
- Failure reason, decline or exit, immediate report or STR decision, submission and restricted access log.
- Source primaire
- MLPC Act, ss. 22 and 31; RBZ AML/CFT/CPF Guideline, paras. 3.69-3.70 and 3.130
06Monitoring, suspicious reporting and confidentialityMonitor the relationship continuously and submit complete reports through the prescribed FIU channel on time.5 éléments+
Ongoing due diligence keeps customer and beneficial-owner data current and examines transactions against the known customer, activities and risk profile.
- Action d’implémentation
- Configure risk-based refresh, event triggers and transaction monitoring and investigate material deviations from expected activity.
- Preuves à conserver
- Refresh schedule, trigger log, monitoring scenarios, alerts, cases and updated CDD.
- Source primaire
- MLPC Act, s. 26; RBZ AML/CFT/CPF Guideline, paras. 2.47-2.51 and 3.71-3.78
Complex, unusual large or purposeless transactions and unusual patterns require special attention, written findings and retention.
- Action d’implémentation
- Document background, purpose, actors, source and destination of funds, corroboration and the final reporting decision.
- Preuves à conserver
- Enhanced-review memorandum, transaction data, supporting evidence, decision and reviewer sign-off.
- Source primaire
- MLPC Act, ss. 24 and 26(2)
A financial institution, DNFBP and covered officers or agents report property, a transaction or an attempted transaction suspected or reasonably suspected to involve crime, terrorism, terrorist financing or proliferation.
- Action d’implémentation
- Escalate immediately, preserve the suspicion timestamp and submit a complete STR to the FIU through goAML.
- Preuves à conserver
- Internal report, analysis, STR, goAML receipt, case timeline and any supplement.
- Source primaire
- MLPC Act, s. 30(1); RBZ AML/CFT/CPF Guideline, paras. 3.104-3.110
An STR is due promptly and no later than three working days after suspicion is formed; attempted transactions are reportable.
- Action d’implémentation
- Use a shorter internal SLA that leaves time for review and measure from the documented point at which suspicion was formed.
- Preuves à conserver
- Suspicion timestamp, internal SLA, approval, submission timestamp and overdue report.
- Source primaire
- MLPC Act, s. 30(1); RBZ AML/CFT/CPF Guideline, paras. 3.105-3.108
Tipping off is prohibited and reporting information is protected; secrecy duties do not block statutory reporting.
- Action d’implémentation
- Restrict STR access, suppress customer-facing indicators, train staff and separate lawful information requests from prohibited disclosure.
- Preuves à conserver
- Access matrix, immutable case log, training, communications controls and access review.
- Source primaire
- MLPC Act, ss. 31-33; RBZ AML/CFT/CPF Guideline, paras. 3.126-3.132
07Payments, wires, threshold reports and virtual assetsKeep CDD triggers, automatic threshold reports, wire data and virtual-asset travel-rule controls distinct.6 éléments+
Qualifying wires carry accurate originator and beneficiary data; incomplete transfers require risk-based repair, rejection or suspension.
- Action d’implémentation
- Validate fields before execution, retain data across the chain and govern missing-data decisions.
- Preuves à conserver
- Field specification, rules, repair/reject queue, samples and logs.
- Source primaire
- MLPC Act, s. 27; RBZ Guideline, paras. 3.143-3.156
For banks, Directive 01/04/2024 sets CTR/EFT thresholds at ZiG 70,000 local or USD 5,000 equivalent foreign currency, and IFT at USD 5,000 equivalent.
- Action d’implémentation
- Configure separate report types and currency rules and re-check the FIU for changes.
- Preuves à conserver
- Threshold register, system and currency rules, tests and dated check.
- Source primaire
- FIU Directive 01/04/2024, para. 2.1
Banks submit weekly threshold and nil returns on or before the second working day of the week.
- Action d’implémentation
- Reconcile, approve and submit each CTR, EFT and IFT return through goAML on time.
- Preuves à conserver
- Reconciliation, return, approval, receipt and overdue log.
- Source primaire
- FIU Directive 01/04/2024, para. 2.2
NBFIs and DNFBPs submit CTR or nil returns at ZiG 70,000 local or USD 5,000 equivalent foreign currency monthly by the tenth day.
- Action d’implémentation
- Confirm scope, reconcile the monthly return and retain the goAML acknowledgement.
- Preuves à conserver
- Scope, configuration, return, reconciliation and receipt.
- Source primaire
- FIU Directive 01/04/2024, paras. 3.1-3.2
A suspicious threshold transaction requires separate STR and threshold reports.
- Action d’implémentation
- Link but do not merge the cases; preserve separate grounds, reports and receipts.
- Preuves à conserver
- Linked IDs, STR, threshold return, receipts and decision.
- Source primaire
- RBZ Guideline, paras. 3.133-3.135
S.I. 99/2026 applies travel data to all virtual-asset transfers, CDD at USD 1,000 or more and wallet-ownership proof above USD 1,000 for unhosted wallets.
- Action d’implémentation
- Verify and transmit travel data, detect missing fields, prove wallet control and monitor risk.
- Preuves à conserver
- Travel messages, KYC, wallet proof, decision and monitoring.
- Source primaire
- S.I. 99/2026, ss. 17-21
08Targeted financial sanctionsUse current UN lists and FIU instructions to identify, freeze and report designated assets without prior notice.4 éléments+
FIs, DNFBPs and other natural and legal persons apply Zimbabwe's UN targeted-financial-sanctions framework for terrorism and proliferation financing.
- Action d’implémentation
- Maintain a legal list inventory, FIU/goAML registration, accountable sanctions owner and procedures for designation, delisting and false positives.
- Preuves à conserver
- List inventory, subscriptions, procedure, role assignment and change log.
- Source primaire
- S.I. 76 of 2014; S.I. 110 of 2021; FIU CFT/CPF Directive PFIU3/09/24
Screen existing and potential customers, beneficial owners, transaction parties, directors and agents before onboarding or an occasional transaction and thereafter daily.
- Action d’implémentation
- Run daily list updates and rescreening, pre-transaction checks and real-time cross-border payment screening where applicable.
- Preuves à conserver
- List versions, screening timestamps, population reconciliation, alerts and match decisions.
- Source primaire
- FIU CFT/CPF Directive PFIU3/09/24, Part 3; RBZ AML/CFT/CPF Guideline, paras. 3.79-3.83
A confirmed match triggers freezing without delay, immediately and in any case within 24 hours, without prior notice, plus a prohibition on funds, assets, services or economic resources being made available.
- Action d’implémentation
- Block accounts, transactions and services, identify all directly or indirectly owned or controlled assets and prevent movement until lawful release.
- Preuves à conserver
- Match validation, freeze timestamp, asset inventory, transaction blocks, access log and release authority.
- Source primaire
- FIU CFT/CPF Directive PFIU3/09/24, Part 3; S.I. 76 of 2014; S.I. 110 of 2021
A confirmed match and action taken are reported to the FIU through goAML immediately and no later than 24 hours; a nil return is submitted when an FIU list update yields no match.
- Action d’implémentation
- Submit the designated-person and asset particulars and action taken, file any required nil return and assess an STR separately where TF or PF is suspected.
- Preuves à conserver
- GoAML sanctions report, receipt, nil return, STR decision and linked case record.
- Source primaire
- FIU CFT/CPF Directive PFIU3/09/24, Reporting; RBZ AML/CFT/CPF Guideline, paras. 4.11-4.17
09Records, confidentiality and regulator accessRetain reconstructable records for the correct event-based period and make them available promptly to authorised authorities.4 éléments+
CDD files, account records and business correspondence are retained for at least five years after the relationship ends; transaction records are retained for at least five years from the transaction.
- Action d’implémentation
- Map every record class to the correct start event, legal hold, access rule and deletion control.
- Preuves à conserver
- Retention schedule, lifecycle configuration, legal-hold procedure, archive and deletion test.
- Source primaire
- MLPC Act, s. 24(2)(a)-(b)
Written findings for complex or unusual activity and copies of STRs and supporting material are retained for at least five years from the transaction or report, as applicable.
- Action d’implémentation
- Store analysis and reports in a restricted archive linked to the relevant customer and transaction without exposing the filing.
- Preuves à conserver
- Restricted case archive, linkage, retention configuration and access review.
- Source primaire
- MLPC Act, s. 24(2)(c)-(d); RBZ AML/CFT/CPF Guideline, paras. 3.138-3.142
Where a technical limitation separates required cross-border wire data from the related domestic transfer, the intermediary institution keeps the received information for at least ten years.
- Action d’implémentation
- Preserve detached wire data with a reliable transaction link and test complete reconstruction.
- Preuves à conserver
- Wire archive, linkage key, ten-year rule, retrieval and reconstruction test.
- Source primaire
- MLPC Act, s. 27(8)
Records and underlying information must be available on a timely basis to the FIU and authorised competent authorities; third-party reliance does not transfer responsibility.
- Action d’implémentation
- Authenticate requests, apply least-privilege disclosure, retrieve promptly and log the response and chain of custody.
- Preuves à conserver
- Request register, authentication, response package, access log and retrieval test.
- Source primaire
- MLPC Act, ss. 18 and 24; RBZ AML/CFT/CPF Guideline, para. 3.142
10Privacy, biometrics and international transfersAML necessity does not remove data-protection duties. Identity and biometric processing require lawful purpose, licensing, security, rights and transfer controls.7 éléments+
A person deciding the means, purpose or outcome of personal-data processing, the data collected or the people concerned, or processing for commercial benefit must apply for the applicable POTRAZ data-controller licence unless exempt.
- Action d’implémentation
- Classify the controller, confirm the correct tier with POTRAZ, obtain the licence and renew it at least three months before its 12-month expiry.
- Preuves à conserver
- Applicability analysis, DP1 application, licence, tier confirmation, fees and renewal calendar.
- Source primaire
- Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (S.I. 155 of 2024), ss. 3-8
A data controller appoints a qualified and certified DPO and notifies POTRAZ; DPO contact changes and termination are notified within 14 days and a replacement is appointed within 90 days.
- Action d’implémentation
- Appoint an independent DPO, file Form DP2, publish contact routes and maintain succession and notification triggers.
- Preuves à conserver
- Appointment, certification, DP2, POTRAZ receipt, contact notice and succession calendar.
- Source primaire
- S.I. 155 of 2024, ss. 12-14
Processing must be necessary, fair, lawful, purpose-limited, accurate, minimised and retained no longer than necessary; data subjects have information, access, objection, correction and deletion rights.
- Action d’implémentation
- Maintain notices, purpose and basis records, data inventory, minimisation and retention rules and a tested rights-request workflow.
- Preuves à conserver
- Privacy notice, processing inventory, lawful-basis register, retention schedule, rights log and responses.
- Source primaire
- Cyber and Data Protection Act [Chapter 12:07], ss. 7-14
Genetic, biometric and health data generally require written consent unless a statutory exception applies; POTRAZ must also be notified of biometric or genetic processing.
- Action d’implémentation
- Document the lawful condition, collect and preserve written consent where relied on, offer withdrawal mechanics and notify POTRAZ before production.
- Preuves à conserver
- Biometric assessment, written consent or exception memo, POTRAZ notice, withdrawal log and access controls.
- Source primaire
- Cyber and Data Protection Act, ss. 11-12; S.I. 155 of 2024, s. 10(2)(d)
Controllers and processors use appropriate technical and organisational security and a written processing agreement; a personal-data breach is notified to POTRAZ within 24 hours of awareness.
- Action d’implémentation
- Contract processors, test security and incident response, use Form DP3 and preserve a complete breach record and investigation.
- Preuves à conserver
- Processor agreement, security assessment, incident log, DP3, POTRAZ receipt and investigation report.
- Source primaire
- Cyber and Data Protection Act, ss. 18-19; S.I. 155 of 2024, ss. 16-17
Where a breach is likely to create high risk for individual rights and freedoms, affected data subjects are informed within 72 hours; the controller responds to authority requests within 14 days and concludes and reports its investigation within 21 days from notification.
- Action d’implémentation
- Classify breach risk, prepare individual notice, track authority questions and complete the investigation and final report on the statutory clocks.
- Preuves à conserver
- Risk assessment, individual notice, delivery proof, authority responses, investigation and final report.
- Source primaire
- S.I. 155 of 2024, s. 17(3)-(5)
Foreign transfers require adequate protection or a statutory section 29 condition; S.I. 155 also requires notification to POTRAZ of intended foreign transfer or sharing.
- Action d’implémentation
- Map hosting and support locations, assess adequacy or the transfer condition, notify POTRAZ and obtain any current required authorisation before transfer.
- Preuves à conserver
- Transfer map, assessment, contracts, POTRAZ notification or authorisation, security controls and review.
- Source primaire
- Cyber and Data Protection Act, ss. 28-29; S.I. 155 of 2024, s. 10(2)(c)
11Implementation and audit evidence packA defensible programme links every legal claim to configuration, ownership, dated sources, testing and a controlled residual-risk decision.4 éléments+
A pre-launch gate covers perimeter, licensing, CDD, beneficial ownership, PEPs, monitoring, reporting, sanctions, records, privacy, payments and virtual assets.
- Action d’implémentation
- Block production until accountable owners approve control design and every material gap has a closed remediation or explicit lawful launch condition.
- Preuves à conserver
- Launch checklist, approvals, test pack, gap register and release decision.
- Source primaire
- MLPC Act; applicable FIU, RBZ, company, VASP and data-protection instruments
Agents, outsourced KYC providers, cloud services, processors and other vendors do not remove the regulated entity's accountability.
- Action d’implémentation
- Assess providers, contract evidence access, audit, security and confidentiality, monitor performance, test retrieval and maintain an exit plan.
- Preuves à conserver
- Due-diligence file, contract, audit and access test, monitoring reports, issues and exit plan.
- Source primaire
- MLPC Act, s. 18; S.I. 155 of 2024, s. 10(4)(f); RBZ NPS approval requirements
Thresholds, FATF lists, UN designations, FIU directives, RBZ conditions, VASP registration and privacy forms can change.
- Action d’implémentation
- Assign owners to monitor official FIU, RBZ, Companies Office, POTRAZ, Gazette, FATF and ESAAMLG sources and assess every change against systems and existing customers.
- Preuves à conserver
- Legal inventory, source log, change assessment, implementation ticket and approval.
- Source primaire
- Official authority and international publications listed in Sources
Independent assurance tests the complete customer lifecycle and preserves why each production rule is configured as it is.
- Action d’implémentation
- Sample onboarding, ownership, PEP, sanctions, thresholds, wires, STRs, privacy, access and retention; report findings and verify closure.
- Preuves à conserver
- Control-to-law map, monitoring plan, audit report, issue register, closure evidence and release history.
- Source primaire
- MLPC Act, s. 25(1)(e); RBZ AML/CFT/CPF Guideline, paras. 3.98-3.103

11 domaines de contrôle et 53 vérifications d'implémentation avec sources réglementaires directes.
Téléchargez la checklist KYC, KYB et AML pour Zimbabwe
Partagez vos coordonnées professionnelles pour accéder immédiatement à la checklist d'implémentation sourcée pour Zimbabwe. Date de revue réglementaire : 16 July 2026.
Recevez le PDF immédiatement
Envoyez vos coordonnées pour démarrer automatiquement le téléchargement
Revue et sourcée
Version 1.0, revue le 16 July 2026
Approuvé par des équipes conformité de premier plan
Registre des sources primaires
27 sources utilisées pour cette checklist
Utilisez ces liens pour vérifier la législation, les lignes directrices, les procédures de déclaration et les statuts internationaux.
- Money Laundering and Proceeds of Crime Act [Chapter 9:24], updated through Act 7 of 2025Financial Intelligence Unit of Zimbabwe · Primary legislation
- Zimbabwe AML/CFT legal frameworkFinancial Intelligence Unit of Zimbabwe · Official legal-framework register
- FIU directives registerFinancial Intelligence Unit of Zimbabwe · Official directives register
- Revised thresholds for CTRs, EFTs and IFTs, Directive 01/04/2024Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- Targeted-financial-sanctions Directive PFIU3/09/24Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- High-risk and increased-monitoring jurisdictions Directive PFIU17/02/2026Financial Intelligence Unit of Zimbabwe · Binding FIU directive
- FIU guidelines registerFinancial Intelligence Unit of Zimbabwe · Official guidance register
- goAML reporting portalFinancial Intelligence Unit of Zimbabwe · Official reporting platform
- Inspection notice on goAML registration and CTR submissions, 8 May 2025Financial Intelligence Unit of Zimbabwe · Official compliance notice
- AML/CFT/CPF Guideline, June 2025Reserve Bank of Zimbabwe · Binding sector guideline
- RBZ National Payment Systems legal basisReserve Bank of Zimbabwe · Official regulator guidance
- RBZ retail payment-system approval requirementsReserve Bank of Zimbabwe · Official licensing requirements
- National Payment Systems guidelines, directives and circularsReserve Bank of Zimbabwe · Official sector register
- Banking (Money Transmission, Mobile Banking and Mobile Money Interoperability) Regulations, 2020Reserve Bank of Zimbabwe · Primary sector regulation
- Guidelines for QR Code Payments in Zimbabwe, March 2026Reserve Bank of Zimbabwe · Current sector guideline
- Money Laundering and Proceeds of Crime (Virtual Asset Service Providers Registration) Regulations, 2026Financial Intelligence Unit of Zimbabwe · Primary sector regulation
- Companies and Other Business Entities Act [Chapter 24:31]Zimbabwe Legal Information Institute · Primary legislation
- Companies and Other Business Entities (Pre-Formation and Post-Formation Formalities) Regulations, 2020Zimbabwe Investment and Development Agency eRegulations · Primary regulation and forms
- Cyber and Data Protection Act [Chapter 12:07]Ministry of Information Communication Technology, Postal and Courier Services · Primary legislation
- Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024POTRAZ · Primary regulation
- Data Controller Licence Application Form DP1POTRAZ Data Protection Authority · Official form
- FATF jurisdictions under increased monitoring, 19 June 2026FATF · Official international status statement
- FATF high-risk jurisdictions subject to a call for action, 19 June 2026FATF · Official international status statement
- FATF Plenary outcome removing Zimbabwe from increased monitoring, March 2022FATF · Official international status statement
- Zimbabwe follow-up report, April 2024FATF / ESAAMLG · Official peer-review status
- Zimbabwe country and mutual-evaluation pageESAAMLG · Official regional assessment register
- UN Security Council consolidated sanctions listUnited Nations · Official sanctions list
Réponses directes
Questions KYC, KYB et AML pour Zimbabwe
What is Zimbabwe's principal AML/CFT/CPF law?+
The Money Laundering and Proceeds of Crime Act [Chapter 9:24]. The FIU's current consolidated copy includes amendments through Act 7 of 2025, including virtual-asset and proliferation-financing changes.
Who receives suspicious transaction reports?+
The Financial Intelligence Unit of Zimbabwe. Reporting institutions use the FIU's goAML platform.
When is an STR due?+
Promptly and no later than three working days after suspicion is formed. Attempted transactions are included.
Does an amount have to be reached before filing an STR?+
No. Suspicion reporting is independent of value. A transaction can require both an STR and a separate threshold report.
What is the general occasional-transaction CDD threshold?+
USD 5,000 or more, including linked transactions, for the general statutory trigger. Suspicion or doubt about earlier identity evidence triggers CDD regardless of value, and sector-specific thresholds also exist.
What is the wire-transfer CDD threshold?+
USD 1,000 or more for a domestic or international wire, subject to any later prescribed change.
Which company beneficial-owner threshold applies?+
Company law uses more than 20% of shares or voting rights, majority-director appointment or removal rights, or other significant influence or control. The company must file material changes within seven days.
Why does the guide also mention 25% and 10%?+
They belong to different rules. The AML Act contains a 25%-or-more deemed ownership test, while the June 2025 RBZ guideline directs banks and microfinance institutions to identify and verify beneficial owners at 10% ownership and above. Control must still be assessed.
Can a registry extract replace independent KYB?+
No. Verify legal existence, authority, directors, licences, tax and ownership evidence and reconcile discrepancies. Trace ownership and control to natural persons.
What happens if CDD cannot be completed?+
Do not establish or maintain the relationship and report immediately to the FIU as required. If continued CDD would tip off a suspected customer, stop that process and file the appropriate report.
What PEP controls apply?+
Determine whether the customer or beneficial owner is a PEP, obtain senior-management approval where required, establish source of wealth and funds or assets and apply increased monitoring. Cover family and close associates in the cases described by the RBZ guideline.
What automatic threshold reports apply to banks?+
Under FIU Directive 01/04/2024, bank CTR and EFT thresholds are ZiG 70,000 for local transactions or USD 5,000 equivalent for foreign-currency transactions; the IFT threshold is USD 5,000 equivalent. Weekly returns, including nil returns, are due on or before the second working day of the week.
What threshold report applies to NBFIs and DNFBPs?+
The same directive sets CTR thresholds at ZiG 70,000 for local transactions or USD 5,000 equivalent for foreign currency. Monthly CTR or nil returns are due on or before the tenth day.
How long are AML records kept?+
Generally at least five years: CDD and relationship records from the relationship end, transaction records from the transaction and STR material from the report. Detached intermediary wire data covered by section 27(8) is kept at least ten years.
What happens on a confirmed UN sanctions match?+
Freeze the covered funds, assets and economic resources without prior notice, immediately and no later than 24 hours; prevent funds or services being made available; and report through goAML immediately and no later than 24 hours. Assess an STR separately.
How often should sanctions screening run?+
Before onboarding or an occasional transaction and daily thereafter under the FIU's 2024 directive. RBZ-regulated institutions also maintain real-time screening for cross-border transactions.
Are virtual-asset service providers regulated?+
Yes. S.I. 99 of 2026 creates FIU registration, fitness, governance, AML, travel-rule, unhosted-wallet and recordkeeping requirements. A certificate is valid for one year unless earlier suspended, surrendered or revoked.
When does the VASP travel rule apply?+
The ordering VASP must obtain and hold prescribed originator and beneficiary information for all virtual-asset transfers and send it securely. CDD applies at USD 1,000 or more, and unhosted-wallet transfers above USD 1,000 require wallet-ownership proof.
Must a KYC provider obtain a POTRAZ data-controller licence?+
A person determining the purposes and means of processing or processing for commercial benefit falls within the 2024 licensing rules unless exempt. Confirm the appropriate licence tier with POTRAZ, appoint a DPO and maintain the required notifications.
What is required for biometric KYC?+
Biometric data generally requires written consent unless a statutory exception applies. Notify POTRAZ of biometric or genetic processing, minimise collection, secure the data and preserve the lawful-condition analysis and consent or exception evidence.
How quickly must a personal-data breach be notified?+
Notify POTRAZ within 24 hours of awareness. If the breach is likely to create high risk for individuals' rights and freedoms, inform those people within 72 hours. The controller also completes the investigation and report within 21 days from notification.
Can KYC data be hosted outside Zimbabwe?+
Only with the section 28 adequacy conditions or a section 29 transfer condition, plus the required POTRAZ notification and any current authorisation. Map every foreign hosting, support and access location before transfer.
Is Zimbabwe on the FATF grey list?+
No, not in the FATF public statements dated 19 June 2026. FATF removed Zimbabwe from increased monitoring in March 2022. Zimbabwe remains in ESAAMLG enhanced follow-up, which is a separate peer-review process.
Méthode de recherche et de revue
VOVE ID Compliance Research cartographie le périmètre réglementaire, traduit les obligations en contrôles opérationnels, relie les affirmations importantes aux sources et date chaque revue.
VOVE ID Compliance Research · Revue le 16 July 2026 · Version 1.0
This checklist is general regulatory information, not legal advice or a licence determination. It reflects sources reviewed on 16 July 2026. Confirm current gazetted law, FIU directives, RBZ conditions, company-registry forms, data-controller licensing and reporting mechanics with Zimbabwean counsel and the competent authority before launch. Sector scope matters: bank-specific guidance, company-register thresholds, AML beneficial-ownership tests and VASP rules are not interchangeable. VOVE ID can support evidence collection, screening and audit trails, but the reporting entity remains responsible for customer acceptance, reporting, freezing and compliance decisions.