On 10 June 2026, Zimbabwe took a significant step towards the regulation of the digital asset sector with the gazetting of the Money Laundering and Proceeds of Crime (Virtual Asset Service Providers Registration) Regulations, 2026 (S.I. 99 of 2026). The Regulations establish Zimbabwe’s first dedicated registration and supervisory framework for Virtual Asset Service Providers (VASPs), bringing the country into closer alignment with evolving international standards on the regulation of digital assets and anti-money laundering compliance.
The Regulations follow the enactment of the Finance Act No. 7 of 2025, which introduced the legal concepts of virtual assets and Virtual Asset Service Providers into Zimbabwean law. Through amendments to the Money Laundering and Proceeds of Crime Act [Chapter 9:24] and the Securities and Exchange Act [Chapter 24:25], Zimbabwe laid the foundation for the regulation of businesses engaged in virtual asset activities, including exchanges, transfers, custody services and other related digital asset services.
The introduction of S.I. 99 of 2026 marks a notable shift from a largely unregulated operating environment to a formal compliance-based regime. The Regulations establish mandatory registration requirements for VASPs and introduce governance, risk management and reporting obligations designed to strengthen market integrity, consumer protection and regulatory oversight. They also incorporate anti-money laundering and counter-terrorist financing measures consistent with the recommendations of the Financial Action Task Force (FATF), including the implementation of the FATF “Travel Rule” applicable to virtual asset transactions.
The new framework is likely to be of particular interest to fintech businesses, digital asset exchanges, financial institutions, investors and technology companies seeking to operate within Zimbabwe’s emerging virtual asset market. It also signals the country’s intention to participate in the broader global movement towards the regulation and formalisation of virtual asset activities.
This article examines the principal features of S.I. 99 of 2026 and considers its practical implications for businesses operating within Zimbabwe’s digital asset ecosystem.
Objectives of the Regulations
At a policy level, the Regulations are designed to create a regulated and credible environment for virtual asset activities in Zimbabwe. The framework seeks to promote market integrity, investor and consumer confidence, transparency and accountability, while ensuring that Virtual Asset Service Providers maintain appropriate governance, compliance and risk management systems. The Regulations also reflect Zimbabwe’s commitment to aligning its regulatory framework with international best practices, particularly in relation to anti-money laundering, counter-terrorist financing and the supervision of digital asset markets.
Scope of the Definition of a Virtual Asset Service Provider
Section 2 of the Regulations adopts a broad and technology-neutral definition of a Virtual Asset Service Provider (VASP). While the framework applies to conventional virtual asset businesses such as cryptocurrency exchanges, brokers, custodians and transfer service providers, its scope extends considerably further.
The definition encompasses any person who provides services relating to virtual assets or who exercises control over, manages, operates, or provides the essential means necessary for the operation of software protocols, smart contracts, decentralised applications (dApps), or similar technological arrangements through which virtual asset services are offered. As a result, the Regulations potentially capture a wider range of participants within the digital asset ecosystem, including operators of decentralised finance (DeFi) platforms and other technology-driven virtual asset infrastructures where sufficient governance, control or influence is exercised.
The Regulations also introduce several key concepts relevant to regulatory oversight and compliance. These include beneficial ownership, significant interest, principal officers, compliance officers, affiliated entities, and protocol governance and control. The inclusion of these concepts reflects an intention to look beyond formal corporate structures and identify the individuals and entities that ultimately own, control, manage or influence virtual asset activities. This approach is consistent with international anti-money laundering and counter-terrorist financing standards, particularly the recommendations of the Financial Action Task Force (FATF), which increasingly emphasise transparency of ownership, accountability and effective oversight within the digital asset sector.
Regulatory Principles Governing Virtual Asset Service Providers
Section 3 of the Regulations sets out the guiding principles that underpin the regulation of Virtual Asset Service Providers (VASPs). These principles establish the regulatory objectives of the framework and are accompanied by brief explanatory provisions. Some of the key principles include:
- Market Integrity: The framework seeks to promote fair and transparent virtual asset markets while reducing opportunities for fraud and market manipulation.
- Consumer Protection: The Regulations aim to safeguard users against fraudulent schemes, mismanagement and loss of funds.
- Financial Stability: Regulatory oversight is intended to prevent virtual asset activities from creating broader risks within the financial system.
Part II – Registration of Virtual Asset Service Providers
Requirement for Registration
Part II of the Regulations establishes a mandatory registration regime for persons seeking to provide virtual asset services in or from Zimbabwe. In terms of section 4, no person may lawfully operate as a Virtual Asset Service Provider (VASP) unless registered with the Financial Intelligence Unit (FIU) in accordance with the prescribed application procedures and requirements.
The registration requirement represents a significant regulatory development for the virtual asset sector. It moves VASPs from a largely unregulated environment into a formal supervisory framework, bringing them within the scope of ongoing regulatory oversight, compliance monitoring and anti-money laundering obligations.
A particularly notable feature of the Regulations is the requirement that an applicant must be incorporated, registered or otherwise established as a legal entity in Zimbabwe. The framework therefore does not permit foreign VASPs to provide services directly into the Zimbabwean market without establishing a local legal presence. International operators seeking to offer virtual asset services in Zimbabwe will be required to do so through a locally incorporated subsidiary or other approved Zimbabwean legal entity.
This requirement reflects an increasing regulatory trend across several jurisdictions that seek to ensure local accountability, effective supervision and regulatory enforcement against entities conducting virtual asset activities within their territories. For international fintech businesses, exchanges and digital asset operators, the Regulations therefore introduce both a market-entry requirement and an ongoing compliance obligation that must be considered before commencing operations in Zimbabwe.
The registration framework also enables the Financial Intelligence Unit to assess the suitability of applicants, identify beneficial ownership structures, evaluate governance arrangements and ensure that only entities meeting the prescribed regulatory standards are permitted to operate within Zimbabwe’s virtual asset ecosystem.
Application Requirements
The Regulations prescribe a detailed and comprehensive application process designed to enable the Financial Intelligence Unit (FIU) to assess the suitability, integrity, ownership structure and compliance readiness of prospective Virtual Asset Service Providers.
Applicants are required to submit extensive supporting documentation, including:
- Incorporation and constitutional documents;
- Identification documents for beneficial owners, directors, shareholders and principal officers;
- Police clearance certificates for key individuals;
- Detailed ownership and corporate structure charts;
- Valid tax clearance certificates;
- Business and risk assessment reports;
- Anti-money laundering and counter-terrorist financing policies and procedures;
- Information relating to affiliated entities and group structures;
- Details of the proposed compliance officer and compliance framework; and
- Cybersecurity, data protection, confidentiality and information security policies.
The breadth of information required demonstrates that the registration process extends well beyond a simple licensing exercise. The Financial Intelligence Unit is empowered to conduct a comprehensive assessment of the applicant’s ownership, governance, financial integrity, operational capacity and risk management framework before registration is granted.
From a practical perspective, applicants will need to demonstrate not only corporate existence and operational readiness, but also the existence of robust governance structures, effective compliance systems and adequate controls to mitigate money laundering, terrorist financing, cyber-security and operational risks.
Assessment of Applications
In terms of Section 4 (9) the Financial Intelligence Unit is required to determine applications within ninety days of receiving a complete application. Applications may be refused where:
- Applicants fail to satisfy prescribed requirements;
- Principal officers or significant shareholders fail the fit and proper test;
- The applicant lacks adequate risk management capacity; or
- Registration would be contrary to the public interest.
- Applicants who submit false or misleading information may face rejection, revocation of registration, monetary penalties, and a six-month prohibition on reapplying.
Registration, Authorisation and Renewal
Once satisfied that an applicant meets the prescribed requirements, the Financial Intelligence Unit may grant registration in terms of section 7 of the Regulations. Successful applicants are issued with a unique registration number and a certificate of registration and are entered into the official Register of Virtual Asset Service Providers. The Financial Intelligence Unit may also impose conditions on a registration, which conditions may be recorded against the registrant’s entry in the register and form part of the regulatory requirements applicable to the VASP.
Registration is not indefinite. In terms of section 7(2), a certificate of registration remains valid for a period of one year, after which renewal is required to maintain authorisation to operate.
The Regulations place particular emphasis on transparency and public verification of regulatory status. Section 7(5) requires registered VASPs to prominently display their registration certificates at places where services are provided and, where services are offered electronically, to make evidence of registration readily accessible to users. Significantly, VASPs operating digital platforms are required to display a QR code linking directly to their entry in the official register, enabling customers, counterparties and regulators to independently verify their registration status.
The Regulations further empower the Financial Intelligence Unit to actively monitor compliance with the registration regime. In terms of section 8, the Unit is required to establish systems and procedures to identify persons who provide, or purport to provide, virtual asset services without registration. Where unregistered operators are identified, the Financial Intelligence Unit may share information with relevant competent authorities, financial institutions and other regulatory bodies for appropriate enforcement action.
Registration is subject to periodic review through a formal renewal process. Section 9 requires registered VASPs seeking renewal to submit their applications within ninety days prior to the expiry of their registration. Renewal applications must be accompanied by updated information, including revised risk assessments, fit-and-proper declarations and any other documentation required by the Financial Intelligence Unit.
These provisions reflect a regulatory approach based on continuous supervision rather than a once-off licensing exercise. Registered VASPs are expected to maintain ongoing compliance with regulatory, governance and anti-money laundering requirements throughout their operational lifecycle. The annual renewal process provides the Financial Intelligence Unit with an opportunity to reassess the suitability, governance arrangements and risk profile of registrants and to ensure continued compliance with the evolving regulatory framework.
Part III – Obligations of Registrants
Corporate Governance Requirements
Registered VASPs are required to comply with Section 10 (1) of the Regulations, particularly:
- Maintain fit and proper beneficial owners and principal officers;
- Appoint a money laundering compliance officer resident in Zimbabwe;
- Maintain at least two resident directors;
- Notify the Financial Intelligence Unit, in writing, of material changes; and
- Comply with all regulatory requirements and directives.
The failure to comply with certain governance requirements may result in penalties of up to US$50,000.
Fit and Proper Requirements
Section 11 establishes a comprehensive fit-and-proper assessment framework. The factors to be considered include: – Financial standing; Education, qualifications and experience; Integrity and reliability; Criminal history; Regulatory compliance history; and Previous licensing or disciplinary actions. After completion of the assessment, the FIU shall notify an applicant in writing, where it determines such person not to be fit and proper.
Residence and Presence Requirements
Additionally, registrants are required to maintain a registered place of business in Zimbabwe and ensure that records required under the Regulations are accessible from that location. This provision is provided in Section 12, mandating businesses to also report any change of business premises within seven days.
Duty to Report Material Changes
Section 13 obliges applicants and registrants to notify the Financial Intelligence Unit within forty-eight hours of becoming aware of any material change affecting information previously provided. The Unit may issue directives or where necessary, deregister a registrant following such changes.
Part IV – Suspension, Revocation and Surrender of Registration
Section 14 (1) The Regulations establish mechanisms for the suspension, surrender and revocation of registration certificates. The Director General may suspend registration where necessary to protect the public interest. Registrants are generally entitled to notice and an opportunity to make representations before suspension, although immediate suspension may occur in urgent circumstances. Registrants may voluntarily surrender their registration, according to Section 15, by written notice to the Financial Intelligence Unit.
The FIU may revoke registration in terms of conditions provided in Section 16, for instance where a VASP: – commits money laundering, terrorist financing or proliferation financing offences; fails to comply with regulatory obligations; obtains registration through false information; ceases operations; enters liquidation; or conducts business in a manner contrary to the public interest.
Part V – The Travel Rule
One of the most significant features of the Regulations is the implementation of the FATF Travel Rule for virtual asset transfers. Section 17 provides definitions of terms used in Part V of the Regulations such as:
- “Travel Rule” means the obligation to obtain, verify, and transmit originator and beneficiary information immediately and securely during a virtual asset transfer.
- “Ordering VASP” means the VASP which initiates the virtual asset transfer and transfers the virtual asset upon receiving the request for the transfer on behalf of the originator.
For virtual asset transfers, Ordering VASPs are directed by Section 18 to obtain and verify information relating to both the originator and beneficiary before executing transactions. Required information includes names, wallet addresses, identification details, and place of residence. The verified information must then be securely transmitted to the beneficiary VASP.
In terms of Section 19, Beneficiary VASPs must implement effective risk-based procedures to identify transfers lacking required information and verify that beneficiary details correspond with their records.|
Transfers to Unhosted Wallets
In terms of Section 20, Ordering VASPs must verify ownership or control of the destination wallet through wallet ownership verification measures such as cryptographic proof mechanisms or the “Satoshi test”. This provision applies to transactions exceeding US$1,000.00.
Customer Due Diligence and Compliance Requirements
VASPs are further mandated to conduct Customer Due Diligence and monitor compliance. Section 21 of the Regulations applies to all transactions conducted by VASPs equal to or exceeding US$1,000. In such transactions, VASPs must verify customer identities; identify beneficial owners; understand the purpose of business relationships; conduct ongoing monitoring; apply enhanced due diligence to higher-risk customers; maintain records for at least five years; and report suspicious transactions promptly.
In addition, Section 21 (6) also mandates VASPs to establish internal compliance systems, designate compliance officers and subject systems to independent audits and regulatory review.
Part VI – Register of Virtual Asset Service Providers
A Register of Virtual Asset Service Providers shall be established and maintained by the FIU, in terms of Section 22 of the Regulations. The Register must include details such as: the registrant’s name; registration category; and services authorised; amongst other details.
Section 22 (5) further provides that the Register is required to be publicly accessible and regularly updated.
Fees, Charges and Enforcement
The Regulations prescribe a relatively accessible fee structure for market participants seeking to operate as Virtual Asset Service Providers in Zimbabwe. However, they also establish clear enforcement mechanisms to ensure compliance with financial obligations owed to the Financial Intelligence Unit.
In terms of section 23(1), any fees paid under the Regulations are expressly stated to be non-refundable. Accordingly, applicants whose applications are unsuccessful or who subsequently withdraw their applications will not be entitled to a refund of any fees paid to the Financial Intelligence Unit.
The Regulations further strengthen the enforceability of financial obligations arising under the framework. Section 23(4) provides that any fee, charge, penalty or other amount due to the Financial Intelligence Unit under the Regulations may be recovered as a debt due to the Reserve Bank of Zimbabwe. This effectively affords such obligations a heightened level of enforceability and underscores the regulatory significance of compliance with the framework.
The fee structure prescribed in the Second Schedule is comparatively modest by international standards. Notably:
- No application fee is payable upon submission of an application for registration;
- The registration fee is capped at US$500.00; and
- The annual renewal fee is US$400.00.
The Money Laundering and Proceeds of Crime (Virtual Asset Service Providers Registration) Regulations, 2026 mark a significant development in Zimbabwe’s financial regulatory landscape by establishing the country’s first dedicated regulatory framework for Virtual Asset Service Providers (VASPs). The Regulations introduce a comprehensive regime encompassing mandatory registration, fit-and-proper requirements, corporate governance standards, anti-money laundering and counter-terrorist financing controls, customer due diligence obligations, ongoing compliance requirements and implementation of the Financial Action Task Force (FATF) Travel Rule.
The framework signals Zimbabwe’s recognition of the increasing role of virtual assets and digital finance within the global economy and reflects a broader policy objective of fostering innovation while maintaining market integrity, consumer protection and financial stability. By bringing virtual asset activities within a formal supervisory framework, the Regulations seek to enhance transparency, strengthen regulatory oversight and mitigate financial crime risks associated with the sector.
For virtual asset exchanges, fintech businesses, custodians, digital asset operators, investors and financial institutions, the Regulations introduce both new opportunities and significant compliance obligations. Businesses operating within Zimbabwe’s virtual asset ecosystem should therefore review their governance structures, ownership arrangements, compliance programmes, cybersecurity frameworks and anti-money laundering controls to ensure alignment with the new regulatory requirements.
--
Read the original publication at Muvingi Mugadza
