Aml Rba Oversight Guideline 2021

RESERVE BANK OF ZIMBABWE
NATIONAL PAYMENT SYSTEMS
ANTI-MONEY LAUNDERING -RISK-BASED

OVERSIGHT & SUPERVISION GUIDELINE
January 2021
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
TABLE OF CONTENTS
1. INTRODUCTION.......................................................................... 8
2. LEGAL FRAMEWORK ................................................................. 9
Compliance with Anti-Money Laundering Laws ................................ 10
3. RISK-BASED APPROACH .......................................................... 10
4. OBJECTIVE OF THE GUIDELINE .............................................. 12
5. SCOPE AND APPLICATION OF THE GUIDELINE...................... 13
6. BENEFITS AND RATIONALE FOR RBA .................................... 14
7. ENFORCEABILITY OF THIS GUIDELINE .................................. 14
8. RISK CATEGORIES AND DEFINITIONS .................................... 15
9. IDENTIFYING AND UNDERSTANDING ML/TF RISKS .............. 15
10. COMPONENTS OF THE RBA .................................................. 16
Risk-Based Approach vs Risk Appetite: ......................................... 17
Implementation process: ............................................................... 18
11. GENERAL GUIDANCE ON AML/CFT ..................................... 18
Key Narrative............................................................................... 18
Terrorism Financing..................................................................... 22
12. AML/CFT REQUIREMENTS FOR PSPs/FIs............................... 23
13. AML/CFT GOVERNANCE FRAMEWORK ............................... 23
14. AML/CFT RISK MANAGEMENT ............................................. 25
15. KNOWING YOUR CUSTOMER (KYC) AND CUSTOMER DUE
DILIGENCE (CDD) .......................................................................... 26
16. CUSTOMER ACCEPTANCE POLICY ...................................... 29
17. TECHNOLOGICAL DEVELOPMENTS ..................................... 29
18. TRANSACTION MONITORING ............................................... 31
19. IDENTIFICATION OF DESIGNATED ENTITIES AND PERSONS
AND FREEZING OF FUNDS ............................................................ 33
20. KNOWING YOUR EMPLOYEE (KYE) ..................................... 35
21. CORE OBLIGATIONS OF REPORTING ENTITIES ................... 38
Page 2 of 82
Institutional Risk Assessment ........................................................ 40

Internal Controls, Policies and Procedures .................................... 41
Risk Profiling ............................................................................... 42
Customer Due Diligence................................................................ 43
Beneficial Owner .......................................................................... 44
Ongoing Monitoring ..................................................................... 44
CDD Measures To Be Applied ...................................................... 46
Enhanced Due Diligence ............................................................... 47
Politically Exposed Person (PEP) .................................................. 48
Reliance on Intermediaries for CDD ............................................. 48
Dormant accounts ........................................................................ 49
22. ELECTRONIC FUNDS TRANSFERS ........................................ 49
23. NON-FACE-TO-FACE SITUATIONS ........................................ 50
24. REMITTANCES ....................................................................... 52
25. CONFIRMATION OF IDENTITY BY OTHER INSTITUTIONS .. 54
26. NON-RESIDENT PERSONAL CUSTOMERS ............................ 54
27. COMPANIES AND OTHER LEGAL ENTITIES ......................... 55
28. CORRESPONDENT BANKING SERVICES .............................. 56
29. SUSPICIOUS TRANSACTION REPORT (STR) ......................... 57
30. TIPPING OFF AND PROTECTION FROM LIABILITY .............. 59
31. MANAGEMENT INFORMATION SYSTEM (MIS), ................... 60
32. TRAINING AND AWARENESS PROGRAMMES ...................... 60
ATTACHMENT OF ANNEXURES .............................................. 64
ANNEXURE 1.............................................................................. 64
ANNEXURE 2.............................................................................. 67
General Guidance to Risk Based Approach ................................... 67
Risk-Based Approach Cycle .......................................................... 68
ANNEXURE 3.............................................................................. 71
Page 3 of 82
Risk Profiling of Customers .......................................................... 71

ANNEXURE 4.............................................................................. 74
Specific High Risk Elements and Recommendations for EDD ........ 74
ANNEXURE 5.............................................................................. 76
General High Risk Factors ............................................................ 76
General Low Risk Factors ............................................................ 78
ANNEXURE 6.............................................................................. 81
Other Sources of AML/CFT Guidance .......................................... 81
Page 4 of 82
DEFINITIONS
‘Agent’’ means a person acting in the name and on behalf of, and so
representing one or more PSP issuing a retail payment instrument
vis-àvis users. The issuing PSP is subject to all relevant
Zimbabwe rules on principal-agent relationship. By virtue of the
agency agreement, the agent is permitted to conduct solely and
specifically the services indicated in the agreement.
“Financial institution” means any person who conducts a business on one

or more of the following activities for a—
(a) Recognised payment systems provider in terms of the

National Payment Systems Act (Chap24:23);
(b) Participant bank or entity on a recognised payment systems;

and,
(c) Third party services provider to a recognised payment system

including, but not limited to, credit and debit cards, cheques,
money orders and electronic money;
“Payment Service Provider (PSP)’’ means an entity that provides services

enabling funds to be deposited and withdrawn from an account;
payment transactions involving transfers of funds; the issuance
and/or acquisition of payment instruments such as cheques, e-
Page 5 of 82
money, credit cards, debit cards; remittances and other services

central to the transfer of funds.
“Wire transfer” means any transaction carried out on behalf of an

originator through a financial institution (including an
institution that originates the wire transfer and an
intermediary institution that participates in completion of
the transfer) by electronic means with a view to making an
amount of money available to a beneficiary person at
another financial institution.
Page 6 of 82
LIST OF ABBREVATION
AML/CFT Ant-Money Laundering and Combating Financing of Terrorism
CAP Customer Acceptance Policy
CBR Correspondent Banking Relationship
CDD Customer Due Diligence
EDD Enhanced Due Diligence

ESAAMLG Eastern and Southern Africa Anti- Money Laundering Group
FATF Financial Action Task Force
TF/FT Terrorism Financing
FIU Financial Intelligent Unit

G-20 Group of Twenty
KYC Know Your Customer
KYCC Know Your Customer’s Customer
KYE Knowing Your Employee
ME Mutual Evaluation
ML/TF Money Laundering and Terrorist Financing
MLPC Money Laundering & Proceeds of Crime Act, Chapter 9:24
NRA National Risk Assessment

PEPs Politically Exposed Persons
PSPs Payment System Provider

RBZ Reserve Bank of Zimbabwe
RBA Risk Based Approach
UNSCRs United Nations Security Council Resolutions
SDD Simplified Due Diligence
STR Suspicious Transaction/Activity Report
Page 7 of 82
1. INTRODUCTION
1.1 Money laundering and terrorism financing (ML/TF) risk management

continue to be a priority global threat which can adversely affect a country’s
reputation and lead to multiple negative economic and social consequences,
such as de-risking.
1.2 Internationally, there have been concerted efforts, driven primarily by the
Financial Action Task Force (FATF), to implement effective measures to
prevent and detect ML/TF.
1.3 In 2012, the FATF revised its 40 Recommendations for anti-money
laundering and combatting the financing of terrorism (AML/CFT). The
FATF Standards/ Recommendations are the global benchmark for assessing
the strength and effectiveness of a country’s AML/CFT regime. The FATF
also added standards for countering proliferation financing (CPF).
1.4 A key element of the FATF’s revised 2012 Recommendations is the
application of a risk based approach. Under the risk-based approach,
countries and financial institutions are expected to understand, identify and
assess their risks, take appropriate actions to mitigate those risks and
allocate their resources efficiently by focusing on higher risk areas.
1.5 Consequently, in 2013, Zimbabwe’s AML/CFT legislation was revised to
align more closely with the revised FATF Standards.
1.6 Subsequently amended Money Laundering and Proceeds of Crime (MLPC)
Act of 2018, have significant provision including the requirement to apply
risk sensitive measures based on a comprehensive ML/TF risk assessment
taking into consideration the nature, size and complexity of the business.
Page 8 of 82
1.7 The Reserve Bank of Zimbabwe (RBZ) through its National Payment
Systems is issuing an Anti-Money Laundering (AML) Risk Based
Oversight and Supervision Guideline (hereinafter referred to as the
Guideline) to ensure that the payment services providers or financial
institutions that fall under its regulation comply with the MLPC Act and
implement robust AML/CFT frameworks that are commensurate with their
size, complexity and risk profile.
1.8 In 2015, Zimbabwe was subject to a 4th Round Mutual Evaluation (ME) by
the Eastern and Southern Africa Anti- Money Laundering Group
(ESAAMLG) to assess compliance with the FATF’s revised Standards.
The country also conducted a National Risk Assessment (NRA) during
2014/ 2015 period.
1.9 Consequently, this revised Guideline seeks to address the findings of the
ME and the subsequent NRAs whilst closely reflect the 2012 revised FATF
Recommendations.
2. LEGAL FRAMEWORK
2.1 Zimbabwe underwent a comprehensive review of its AML/CFT regime.

This exercise led to a number of new laws and amendments to the existing
legislations to strengthen the regime.
2.2 The Bank Use Promotion and Suppression of Money Laundering Act (Chap
24:24) was the initial legal framework promulgated in 2002.
2.3 Zimbabwe then passed the Money Laundering and Proceeds of Crime Act
[Chap. 9:24] [Amendment of 2018] (MLPC Act) which is a composite
legislation criminalising ML and TF.
Page 9 of 82
2.4 The MLPC Act, section 12B , requires financial institutions to apply risk
sensitive measures based on a comprehensive ML/TF risk assessment. The
Section relates to, assessing risks and implementing risk-based approach by
financial institutions (FIs) and designated non-financial businesses and
professions (DNFBPs).
2.5 Nevertheless, implementing such an approach involves a comprehensive
analysis and profound knowledge in AML standards and KYC international
norms and standards.
Compliance with Anti-Money Laundering Laws

2.6 Every payment service provider or FI shall comply with the obligations and
requirements under any enactment, directives, instructions and guidelines
relating to anti-money laundering and the prevention of terrorism.
2.7 A payment service provider or FI shall guarantee that any agent or other
third party acting on its behalf shall comply with the enactments, directives,
instructions and any guidelines.
3. RISK-BASED APPROACH
3.1 The risk-based approach (RBA) is the most effective way to combat money
laundering and terrorist financing.
According to FATF guidance, published on October 2014, “RBA to
AML/CFT means that countries, competent authorities and financial
institutions are expected to recognise or identify, assess and understand the
ML/TF risks to which they are exposed and take AML/CFT measures
commensurate to those risks in order to mitigate them effectively.
Page 10 of 82
3.2 Subsequently, the RBA is considered by regulatory bodies as an important

element in the fight against money laundering and terrorism where any
financial institution should establish an AML/CFT strategy to mitigate and
assess the risks involved in dealing with high-risk customers and ongoing
due diligence required.
3.3 However, the implementation process of measuring the level of risks versus
the financial institution risk appetite and regulatory environment, all need
to be considered in order to properly assess the risk associated with each
customer.
3.4 Therefore, the AML/CFT compliance programme should be risk-based, and
should be designed to mitigate the Money Laundering and Terrorist
Financing risks the reporting entity may encounter.
3.5 The general principle of a risk-based approach is that where customers are
assessed to be of higher ML/TF risks, a reporting entity should take
enhanced measures to manage and mitigate those risks, and that
correspondingly where the risks are lower, simplified measures may be
applied.
3.6 The use of a risk-based approach has the advantage of allowing resources
to be allocated in the most efficient way directed in accordance with
priorities so that the greatest risks receive the highest attention.
3.7 For example, the risk-based approach may require extensive customer due
diligence for high risk customers, such as an individual (or corporate entity)
whose source of wealth and funds is unclear or who requires the setting up
of complex ownership and control structures.
Page 11 of 82
3.8 A reporting entity should be able to demonstrate to a supervisory authority

that the extent of customer due diligence and ongoing monitoring is
appropriate in view of the customer’s ML/TF risks.
3.9 While there are no universally accepted methodologies that prescribe the
nature and extent of a risk-based approach, an effective risk based approach
will allow a reporting entity to exercise reasonable business judgment with
respect to its customers. The risk-based approach to customer due diligence
and on-going monitoring is recognized as an effective way to combat
ML/TF risks. Refer to Annexure 5.
4. OBJECTIVE OF THE GUIDELINE

4.1 The MLPC Act, designates the RBZ as the AML/CFT Supervisory
Authority (SA) or Overseer for the payment systems providers or financial
market infrastructures as defined in this Guideline.
4.2 This Guideline is therefore being issued pursuant to the MLPC Act and is
intended to assist payment services providers or financial institutions with
the:
4.2.1 Understanding and compliance with AML/CFT legislative and
regulatory requirements;
4.2.2 Developing and implementing effective, risk-based AML/CFT
compliance programs that enable adequate identification, monitoring
and reporting of suspicious transactions;
4.2.3 Understanding the expectations of the Central Bank with respect to the
minimum standards for AML/CFT controls; and
Page 12 of 82
4.2.4 Creating an enabling environment for effective collaboration and

sharing information as required for the purposes of AML/CFT.
5. SCOPE AND APPLICATION OF THE GUIDELINE

5.1 The RBZ issued an Oversight Framework on Payment Systems (2016) to
guide the payment services providers, participants, users and other
stakeholders on payment systems related issues. The Framework briefly
depicted the risk based approach (RBA) concept.
5.2 Pursuant to that, this Guideline applies to:
5.2.1 Financial institutions regulated under the National Payment Systems
Act, Chap. 24:23 (NPS Act) which include payment services providers
and participant banks facilitating transactions on the approved
payment systems platforms;
5.2.2 Any entity or individual licensed under the Exchange Control Act,
Chap. 22:05 (EC Act);
5.2.3 Any entity or individual in money transmission or remittance business
pursuant to Exchange Control or NPS Acts This includes agents and
sub-agents of money transfers.
5.3 The Guideline together with the AML/CFT legislation and regulations will
form the framework against which the RBZ will assess the adequacy and
effectiveness of payment systems providers’ and participant banks’
AML/CFT compliance programs.
5.4 From time to time the RBZ will amend this Guideline to address changes
in the AML/CFT legislative framework. However, financial institutions and
PSPs should as part of their risk management practices, stay current with
Page 13 of 82
emerging developments as they relate to AML/CFT and update their

AML/CFT programmes as necessary as possible.
6. BENEFITS AND RATIONALE FOR RBA

6.1 Risk-based oversight/supervision provides numerous benefits to the
overseer as well as to the institutions, these include the following:
6.1.1 enhances institutions’ ability to identify, understand, measure,
manage, and control risks as well as correct deficiencies;
6.1.2 encourages frequent, open communication between payment systems
providers/participant and supervisor;
6.1.3 enhanced supervision effort, in which the monitoring of new
developments and strategic changes at a given institution are
conducted throughout the oversight cycle;
6.1.4 less time spent on investigation, assessment of the institutions’
activities as preliminary analysis is done through off-site analysis;
6.1.5 greater emphasis on supervision or oversight inspection of payment
system institutions and areas exhibiting highest risk or adverse trends;
6.1.6 improved quality of supervisory activities necessary to support ‘the
recommendations and conclusions. (Refer to Annexure 2)
7. ENFORCEABILITY OF THIS GUIDELINE

7.1 Further to MLPC Act, the RBZ is empowered to issue guidelines to aid
compliance with the NPS Act , the Banking Act or any other written law
relating to AML/CFT.
7.2 Section 3 of the MPLC Act provides that RBZ as a designated supervisory
authority thereby should issue compliance directions to an insurer or agent,
Page 14 of 82
or its controllers or officers for breaching any written law, including

AML/CFT laws. This may be done jointly with FIU where deemed
necessary.
8. RISK CATEGORIES AND DEFINITIONS

8.1 It is therefore necessary to have a common set of risk definitions for use in
communications among overseers and the institution’s management, which
will serve as a basis for risk-focused oversight strategies.
8.2 In simple terms, risk is defined as a potential that events expected or
unanticipated, may have an adverse effect on the institution’s economic and
social performance.
8.3 For risk-based oversight of payment systems purposes, the following are
generally key risks: strategic, money laundering, terrorist financing, fraud,
smuggling, corruption, tax evasion, credit, settlement, liquidity,
operational, compliance, legal and reputation among others.
8.4 Each PSP, participant and other stakeholders are therefore required to
develop their own comprehensive risk management framework or system
tailored to their size and complexity for approval by the Central Bank.
9. IDENTIFYING AND UNDERSTANDING ML/TF RISKS

9.1 In order to develop a risk based AML/CFT compliance programme, a PSP
or financial institution must first conduct an institutional risk assessment in
order to understand its risks.
9.2 Reporting institutions must take appropriate steps to identify, assess and
understand their ML/TF risks in relation to their customers, countries or
Page 15 of 82
geographical areas and products, services, transactions or delivery

channels.
9.3 Risk assessments should help financial institutions understand the inherent
ML/TF risk exposure and which areas of their business they should
prioritise in the fight against ML/TF.
9.4 The risk assessment should be approved by the Board and form the basis
for the development of policies and procedures to mitigate ML/TF risks. It
should reflect the risk appetite of the institution and establish the risk level
deemed acceptable. The Central Bank will request and evaluate the
adequacy of the financial institution’s risk assessment on an ongoing basis.
9.5 Financial institutions shall also incorporate the results of the National Risk
Assessment (NRA) where available into their ML/TF risk assessment
process and apply the appropriate simplified or enhanced measures
commensurate with the identified risks.
10. COMPONENTS OF THE RBA

10.1 The revised FATF Recommendation 1 advises on how to identify and
assess ML/TF risks and ensure that the determined measures to prevent or
mitigate them are adequate to the defined risks and the regulatory
environment.
10.2 It states that ““Countries should identify, assess, and understand the money
laundering and terrorist financing risks for the country, and should take
action, including designating an authority or mechanism to coordinate
actions to assess risks, and apply resources, aimed at ensuring the risks are
mitigated effectively.”
Page 16 of 82
10.3 Therefore, FATF Recommendation 1 can be considered as the groundwork

towards the implementation of the risk-based approach as indicated in the
process flow diagram below:
Figure: RBA –Risk factors
Risk-Based Approach vs Risk Appetite:

10.4 Developing a risk-conscious environment can be challenging, however, the
financial institution should demonstrate an ability to balance between
strategic objectives with the amount of risk that the entity is willing to take
on pursuit of value and profit in a challenging and dynamic environment.
10.5 The financial institution which is prepared to take adverse risk should
demonstrate a high level of scrutiny and enhanced due diligence (EDD)
tools that will allow compliance with AML/CTF obligations.
10.6 Notably, this can increase the cost of compliance and regulator concerns on
the level of compliance.
Page 17 of 82
Implementation process:
10.7 During the implementation process, it is important for the financial
institution to plan the process to eliminate gaps that can lead to negative
observations from the regulators.
10.8 The first step is the base of implementing RBA and should cover all aspects
by identifying the risk factors and setting up risk scoring.
11. GENERAL GUIDANCE ON AML/CFT
Key Narrative
11.1 Money laundering is the process used by criminals to conceal the illegal
origin and ownership of funds derived from criminal activities. If
successfully undertaken, it allows them to maintain control over those
proceeds, the funds lose the criminal identity and appears to be legitimately
derived.
11.2 The money laundering process involves three (3) main stages, namely,
placement, layering and integration:
Page 18 of 82
i. Placement: refers to the placing of proceeds of crime into the

financial system without arousing suspicion, for example via
deposits, purchases of cheques or money orders.
ii. Layering: refers to the movement of the money, often in a series of
financial transactions which may cross multiple jurisdictions
designed to disguise the criminal source and provide the appearance
of legitimacy. These transactions include purchasing investment
instruments, insurance contracts, wire transfers, money orders and
letters of credit.
iii. Integration: refers to the attempt to legitimize wealth derived from
criminal activity. The illicit funds re-enter the legitimate economy
by way of investment in real estate, luxury assets and business
ventures, until the laundered funds are eventually disbursed back to
the criminal appearing to be legitimate funds.
11.3 There are three (3) broad groups of offences related to money laundering
which are as follows;
Page 19 of 82
11.3.1 Knowingly assisting (in a number of specified ways) in concealing, or

entering into arrangements for the acquisition, use, and/or possession
of criminal property;
11.3.2 Failing to report knowledge, suspicion, or where there are reasonable
grounds for knowing or suspecting, that another person is engaged in
money laundering; and
11.3.3 Tipping off or prejudicing an investigation.
11.4 There are five main categories inherent AML/CFT risk falls into :
i. Governance,
ii. Institution and related sector,
iii. Products and services,
iv. Delivery channel,
v. Customers,
vi. Geographic location.
11.5 However, money laundering risks may be measured using various
categories, which may be modified by risk variables. The Wolfsberg risk-
based approach guidance is the most commonly used risk criteria.
11.6 Based on Wolfsberg’ s guidance on a risk-based approach, risk factor
identification or indicators that can allow the assessment and measurement
of the level of risk can be summarized in the following diagram:
Page 20 of 82
Figure: RBA –Risk factors
Source: Wolfsberg
11.7 Identifying these risk factors will assist in defining the weightage (weighted
risk level) by listing each component and attributing a rating that will allow
the risk rating.
11.8 In order to define the customer risk, the financial institution should
understand the nature of the customer and that should be defined based on
its vulnerability to money laundering and terrorist financing (e.g., the
AML/CTF risk would be higher for non-resident customers than for
residents).
11.9 Identifying the risk level of the customers can be challenging to financial
institution in countries where there is no clear definition of high risk
customers or activities. However, there are international organizations that
have advised on the type of customers susceptible to be used by money
launderers and terrorist financiers; such as FATF recommendations,
Page 21 of 82
Wolfsberg principles, EU Directives and BSA/AML Risk assessment

guidance which can be adopted as best practices.
11.10It is also a separate offence under the MLPC Act not to establish appropriate
policies and procedures to detect and prevent money laundering (regardless
of whether or not money laundering actually takes place).
Terrorism Financing
11.11Terrorism is defined as the unlawful threat of action designed to compel the
government or an international organization or intimidate the public or a
section of the public for the purpose of advancing a political, religious or
ideological belief or cause. Financing of terrorism (FT/TF) is the process
by which funds are provided to an individual or group to finance terrorist
acts.
11.12The key difference between ML and TF is that with ML, the person seeks
to disguise the origins of illicit funds with a profit motive in mind; while in
contrast, a person funding terrorism may use legitimately-held funds to
pursue illegal and ideological motives. Financial institutions should bear
this in mind when assessing the risks posed by those funding terrorism.
11.13A financial institution that carries out a transaction, knowing that the funds
or property involved are owned or controlled by terrorists or terrorist
organisations or that the transaction is linked to or is likely to be used in
terrorist activity, is committing a criminal offence.
11.14TF often involves small sums of money and may be difficult to detect.
Notwithstanding, many of the AML controls financial institutions have in
place will overlap with measures to combat the financing of terrorism
Page 22 of 82
(CFT). These may include for example, risk assessments, customer due
diligence procedures,
12. AML/CFT REQUIREMENTS FOR PSPs/FIs
12.1 Payment Services Providers regulated under the NPS Act are required to
implement risk-based AML/CFT compliance programmes that are
approved by their board of directors.
12.1.1 Internal systems, processes and controls to ensure ongoing compliance
with AML/CFT requirements;
12.1.2 Internal and external audits to verify compliance with AML/CFT
requirements;
12.1.3 Training of relevant personnel in the identification, monitoring and
reporting of suspicious transactions; and
12.1.4 A Compliance Officer, appointed by Senior Management and
approved by the RBZ, with responsibility for continuous compliance
with the AML/CFT legislation and guidelines.
12.1.5 The Compliance Officer is required to be “fit and proper” to diligently
carry out AML/CFT responsibilities effectively.
13. AML/CFT GOVERNANCE FRAMEWORK

13.1 ML and TF prevention should not be viewed in isolation from a PSPs or
financial institution’s other business systems and needs, but as part of the
institution’s overall risk management strategies.
13.2 Consequently, it is imperative that the board and senior management of
PSPs or financial institutions ensure that the policies, procedures, systems
Page 23 of 82
and processes that are put in place to prevent ML/FT and PF are
appropriate. Refer to Annexure 1.
13.3 The PSPs or financial institution’s AML/CFT programme should be risk-
based and commensurate with the nature, size, complexity and inherent
risks of the institution.
13.4 The PSPs or financial institution’s AML/CFT policies, procedures and
controls must be clearly documented and communicated to all relevant
employees in the business units. All employees must be adequately trained
to implement the AML/CFT policies and procedures and to be aware of
their obligations in ensuring compliance with prevailing AML/CFT laws,
regulations and guidelines.
13.5 The compliance function and other control functions comprise the second
line of defence and is responsible for ongoing monitoring of the financial
institution’s compliance with AML/CFT requirements.
13.6 Internal Audit is responsible for independent oversight and evaluation of
the PSPs or financial institution’s AML/CFT risk management controls,
processes, systems and of the effectiveness of the first and second line of
defence functions. Findings of such reviews must be reported to the audit
committee of the Board or an equivalent oversight body.
13.7 External auditors and the RBZ play a critical role in independently
assessing the institution’s overall governance and control structure to
determine whether it is adequately complying with the relevant standards
and rules.
13.8 External auditors are required to conduct an annual AML/CFT audit on all
regulated entities and submit reports to the RBZ. (Refer to Annexure 1)
Page 24 of 82
14. AML/CFT RISK MANAGEMENT

14.1 Having a risk-based approach to AML/CFT is essential for the
implementation of an effective AML/CFT risk management framework and
the promotion of financial inclusion.
14.2 The risk based approach allows for the implementation of appropriate
customer due diligence, verification and monitoring procedures that are
proportionate to the identified ML/TF risks that the PSP or institution is
exposed to from its customers, products and countries with which it
transacts business. (Refer to Annexure 2)
14.3 FATF recognizes a regime that is risk based will not be a ‘zero failure’
regime. However, the RBZ must be satisfied that the PSP or financial
institution is generally taking reasonable measures to identify, monitor,
control and report its ML/TF risks.
14.4 The RBZ recognizes that the relationship between a customer and a PSP or
financial institution is contractual and the decision to accept or maintain a
business relationship has a commercial basis.
14.5 However, ‘de-risking’ or terminating or restricting business relationships
with customers or categories of customers without adequately assessing the
risk and considering options to manage the risk, is not in keeping with a
risk based approach.
14.6 An overly cautious approach to AML/CFT measures may have the
unintended consequence of excluding legitimate businesses and consumers
from the formal financial system. Such actions may also lead to an overall
reduction in financial sector transparency, creation of obstacles to trade,
Page 25 of 82
contribute to financial exclusion and drive financial transactions

underground.
14.7 Further information on the subject of de-risking is available at the following
link: http://www.fatf-
gafi.org/publications/fatfgeneral/documents/rba-and-de-risking.html.
14.8 The risk-based approach requires PSPs or financial institutions to
implement measures to mitigate the risks identified from its enterprise
business risk assessment that are appropriate for the nature, size and
complexity of the institution.
14.9 The assessment of ML/TF risk is not a static exercise and assessments must
be reviewed and updated at appropriate times. Risks that have been
identified may change or evolve over time due to any number of factors,
including shifts in customer conduct, the development of new technologies
and changes in the market.
14.10Emerging risks observed from suspicious activity/transaction reports,
compliance breaches or intelligence from front-line employees that have a
bearing on the risk assessment should be noted and reflected in the risk
assessment as soon as possible.
15. KNOWING YOUR CUSTOMER (KYC) AND CUSTOMER DUE

DILIGENCE (CDD).
15.1 PSPs or financial institutions must develop and implement risk based
policies and procedures to mitigate the ML/TF risks identified in their
business and customer risk assessments.
Page 26 of 82
15.2 The risk assessment framework should identify which customers or

categories of customer’s present higher risk and therefore require the
application of enhanced due diligence (EDD).
15.3 Similarly, where the PSPs or financial institution determines that a
customer or a category of customer presents low risk, simplified due
diligence (SDD) should be applied. Where SDD measures are applied on
the basis of an assessment of low ML/TF risk, the customer due diligence
(CDD) policies and procedures should clearly articulate the rationale and
the applicable measures to be undertaken. In this regard, at a minimum
CDD measures must:
15.3.1 Identify the customer and where applicable, the customer’s beneficial
owner or legal representatives;
15.3.2 Verify the customer’s identity on the basis of reliable and independent
sources and where applicable, verify the beneficial owner’s identity in
a way that the financial institution/PSP is satisfied that it knows who
the beneficial owner is. For legal persons and arrangements, this
should include taking reasonable measures to understand the
ownership and control structure of the customer;
15.3.3 Understand and as appropriate, obtain information regarding the
purpose and intended nature of the business relationship; and
15.3.4 Conduct ongoing due diligence on the business relationship and
scrutinize transactions throughout the relationship to ensure that the
activity is consistent with the financial institution’s knowledge of the
customer and its risk profile, including where applicable, the source of
funds.
Page 27 of 82
15.4 Financial institutions are required to conduct CDD on the customer and
where applicable, the beneficial owner and the person acting on behalf of
the customer at appropriate times such as when a customer is attempting to:
15.4.1 Establish a business relationship;
15.4.2 Conduct a one-off or occasional transaction of based on set limits,
where the transaction is carried out in a single operation or in several
operations that appear to be linked; or
15.4.3 Conduct a one-off or occasional wire transfers above a set limit where
the transaction is carried out in a single operation or in several
operations that appear to be linked.
15.5 Financial institutions may also conduct CDD where:
15.5.1 There is suspicion of ML/TF, regardless of the amount of the
transaction, unless doing so results in tipping off the customer. In such
instances, the financial institution may forego the CDD and must file
an STR;
15.5.2 There is doubt about the veracity or adequacy of documents, data or
information previously obtained for the purposes of identification or
verification.
15.6 CDD should also be conducted when there is a change in the circumstances
of the customer, for example, changes to the customer’s transaction activity.
15.7 The primary purpose of the CDD process is to ensure that the financial
institution knows its customers and understands their financial activities.
There should be sufficient information to obtain a complete picture of the
risk associated with the business relationship and provide a meaningful
basis for subsequent monitoring.
Page 28 of 82
16. CUSTOMER ACCEPTANCE POLICY

16.1 Every PSP or FI should develop a clear Customer Acceptance Policy
(CAP), laying down explicit criteria for acceptance of customers.
16.2 Examples of such clarity should be as follows;
16.2.1 No account or e-wallet is opened in anonymous or fictitious name(s),
16.2.2 Customers must be categorised as per their risk profile; and,
16.2.3 Independent verifications and checks should be diligently conducted
16.3 Customer Acceptance Policy (CAP), should be approved by PSP or FI
board and be continuously reviewed to take into account any market
developments and changes in customer risk profiles.
16.4 CAP should be one of the cornerstone of the RBA and creates the effective
implementation of the AML/CFT risk management policy.
17. TECHNOLOGICAL DEVELOPMENTS

17.1 The accelerated development and increased functionality of new
technologies to provide payment channels or financial services create
challenges in ensuring that these types of payment products and services
are not misused for ML/TF purposes. Virtual currencies and various forms
of electronic money, for example, are emerging as potential alternatives to
traditional payment methods.
17.2 The RBZ reiterates that new and existing digital financial technologies
should be approved before launching and being connected to any ecosystem
in line with NPS Act. Therefore, financial institutions, PSPs and members
of the public are therefore advised to undertake the necessary due diligence
and assessment of risks involved in dealing in digital financial technologies
or with entities providing services associated with digital currencies.
Page 29 of 82
17.3 Nothing in this document shall be taken to indicate the RBZ’s licensing,
authorisation, endorsement or validation of digital currency services or any
entities involved in providing similar services is associated with digital
currencies.
17.4 Accordingly, dealings in digital currencies are not covered by prudential
and market conduct requirements applicable to licensed and authorised
activities, or by established avenues for redress in the event of complaints
or losses and damages incurred by parties dealing in digital currencies.
17.5 Financial institutions must therefore assess the ML/TF risks associated with
the introduction of all:
17.5.1 New financial products and services and/or changes to existing
products and services;
17.5.2 New or additives and developing technologies used to provide
services;
17.6 Financial institutions must:
17.6.1 Undertake the risk assessment and approval prior to the launch or
adoption of such new digital services, products, business practices and
technologies.
17.6.2 Take appropriate measures to manage and mitigate the risks; and,
17.6.3 Properly document the risk assessment.
17.7 In such instances, financial institutions must also consider as applicable, the
RBZ’s Guidelines regarding new or materially different products and
services in line with the NPS, Banking and Exchange Control Acts among
others.
Page 30 of 82
17.8 Financial institutions must also assess the level of risk associated with
potential or existing customers and third parties who offer technologically
innovative products and services, such as Fintech companies, to determine
whether the relationship poses higher ML/TF risk and thereafter, categorize
the relationship and conduct due diligence accordingly.
17.9 In this regard, financial institutions should ensure there are systems and
controls in place to identify emerging ML/TF risks, assess and where
appropriate, incorporate these into the institutional risk assessments in a
timely manner.
17.10The Central Bank will continue to monitor developments on new payment
methods and provide additional guidance as necessary on emerging best
practices to address regulatory issues in respect of ML/TF risks.
18. TRANSACTION MONITORING

18.1 Payment Systems Providers and financial institutions must have
appropriate mechanisms and processes in place that allow for the
identification of unusual transactions, patterns and activity that is not
consistent with the customer’s risk profile.
18.2 Since these will not all be suspicious, financial institutions should also have
processes to analyse transactions, patterns and activity to determine if they
are suspicious and meet the reporting threshold.
18.3 Transaction monitoring processes or systems may vary in scope or
sophistication (e.g. using manual spreadsheets and exception reports to
automated and complex systems or a combination of both) depending on
the size, volumes and complexity of the business operations.
Page 31 of 82
18.4 Regardless, the key element of any system is having up-to-date customer
information to facilitate the identification of unusual activity.
18.5 Monitoring can be either:
18.5.1 In real time, in that transactions and/or activities can be reviewed as
they take place or are about to take place; or
18.5.2 After the event through an independent review of the transactions
and/or activities that a customer has undertaken.
18.5.3 Any monitoring mechanisms commensurate with the level of risk
identified and measured.
18.6 PSPs and financial institutions should also have systems and procedures to
deal with customers who have not had contact for some time, such as
dormant accounts or relationships, to be able to identify future reactivation
and unauthorized use.
18.7 In designing monitoring arrangements, it is important that appropriate
account be taken of the frequency, volume and size of transactions with
customers, in the context of the assessed customer and product risk.
18.8 Monitoring processes and systems should enable trend analysis of
transaction activity including monitoring of transactions with parties in
higher risk countries or jurisdictions, to identify unusual or suspicious
business relationships and transactions.
18.9 The monitoring system should enable PSPs or financial institutions to
monitor and report to senior management on significant customer
relationships and activity on an individual or consolidated basis across the
financial group and identify activity that is inconsistent with the financial
institution’s knowledge of the customer, their business and risk profile.
Page 32 of 82
18.10The parameters and thresholds used to generate alerts of unusual

transactions/activity should be customized to be commensurate with a
financial institution’s ML/TF risk profile and the complexity and extent of
its business activities. Standard parameters provided by the vendor may be
used but the financial institution must be able to validate and demonstrate
to the RBZ that these are appropriate for the institution’s risk position.
18.11The monitoring system should be tested on a periodic basis to ensure that
the parameters are performing as expected and remain relevant. Where
necessary modifications may be required as a result of such testing.
18.12Findings, analysis and the proposed modifications should be documented
indicating:
18.12.1 The rationale for reviewing the parameters and thresholds;
18.12.2 Details of testing; any assumptions made and the analysis of
outcomes; and,
18.12.3 The changes made to the parameters and thresholds.
19. IDENTIFICATION OF DESIGNATED ENTITIES AND PERSONS

AND FREEZING OF FUNDS
19.1 PSPs and financial institutions must be able to identify and to comply with
reporting and freezing instructions issued by the FIU regarding individuals
and entities designated by the United Nations Security Council or by the
High Court as terrorist entities.
19.2 Pursuant to MLPC Act, PSPs or financial institutions have specific
obligations to immediately report to the FIU where any of the following
apply:
Page 33 of 82
19.2.1 A person or entity named on the United Nations or consolidated lists

has funds in the financial institution;
19.2.2 The PSPs or financial institution has reasonable grounds to believe
that the designated person or entity has funds in Zimbabwe; and
19.2.3 If the designated person or entity attempts to enter into a transaction
or continue a business relationship, a suspicious transaction/activity
report must be submitted immediately to the FIU. The financial
institution must not enter into or continue such transaction with the
designated person or entity.
19.3 Terrorist screening is not a risk-sensitive due diligence measure and must
be carried out regardless of the customer risk profile.
19.4 PSPs or Financial institutions must put in place processes to screen
customer details and payment instructions against the designated lists of
persons and entities and also to ensure that the lists being screened against
are up to date.
19.5 The following measures should be considered:
19.5.1 : Continuous risk based screening of customer records;
19.5.2 Immediate screening of one-off, occasional transactions before the
transaction is completed;
19.5.3 Procedures to screen applicable payment messages; and
19.5.4 Procedures to screen payment details on wire transfers and
remittances to reasonably ensure that originator, intermediary and
beneficiary details are included on the transfers.
19.6 PSPs or financial institution’s policies and procedures should address:
Page 34 of 82
19.6.1 The information sources used by the financial institution for

screening (including commercial databases used to identify
designated individuals and entities);
19.6.2 The roles and responsibilities of the financial institution’s
employees and officers involved in the screening, reviewing and
dismissing of alerts, maintaining and updating of the various
screening databases and escalating potential matches;
19.6.3 The frequency of review of such policies, procedures and controls;
19.6.4 The frequency of periodic screening;
19.6.5 How potential matches from screening are to be resolved by the
financial institution’s employees and officers, including the process
for determining that an apparent match is a positive hit and for
dismissing a potential match as a false match; and
19.6.6 The steps to be taken by the compliance officer for escalating
potential or positive matches to senior management and reporting
potential or positive matches to the FIU.
20. KNOWING YOUR EMPLOYEE (KYE)

20.1 In addition to knowing the customer, a PSP or financial institution must
have robust procedures in place for knowing its employees.
20.2 Every regulated institution should have a recruitment policy to attract and
retain employees of the highest levels of integrity and competence. The
ability to implement an effective AML/ CFT programme depends in part
on the quality and integrity of employees.
Page 35 of 82
20.3 Consequently, PSP or financial institutions should undertake due diligence

on prospective employees and throughout the course of employment. At a
minimum, the regulated institution should:
20.3.1 Verify the applicant’s identity and personal information including
employment history and background. Consider credit history checks
on a risk-based approach;
20.3.2 Develop a risk-focused approach to determining when pre-
employment background screening is considered appropriate or when
the level of screening should be increased, based upon the position
and responsibilities associated with a particular position;
20.3.3 The sensitivity of the position or the access level of an individual
employee may warrant additional background screening, which
should include verification of references, experience, education and
professional qualifications;
20.3.4 Maintain an ongoing approach to screening for specific positions, as
circumstances change, or for a comprehensive review of employees
over a period of time. Internal policies and procedures should be in
place (e.g. codes for conduct, ethics, conflicts of interest) for
assessing employees; and,
20.3.5 Have a policy that addresses appropriate actions when pre-
employment or subsequent due diligence detects information contrary
to what the applicant or employee provided.
20.4 Verification should generally include the following:
20.4.1 Reference checks;
20.4.2 Checking the authenticity of academic qualifications; and
Page 36 of 82
20.4.3 Verifying Employment History; and,

20.4.4 Any other possible source of evidence of one’s background.
20.5 The names, addresses, position titles and other official information
pertaining to employees appointed or recruited by the financial institution
should be maintained for up to a period of six years after termination of
employment and made available to the RBZ upon request.
20.6 PSPs or financial institutions should ensure to the extent permitted by the
laws of the relevant country, that similar recruitment policies are followed
by its branches, subsidiaries and associate companies abroad, especially in
those countries which are not sufficiently compliant with the
recommendations of the Financial Action Task Force.
20.7 In addition, to a robust recruitment policy, financial institutions should
implement ongoing monitoring of employees to ensure that they continue
to meet the institution’s standards of integrity and competence.
20.8 PSPs or financial institutions should establish and maintain procedures to
ensure high standards of integrity among employees, including the meeting
of statutory “fit and proper” criteria of the officers of the company. Integrity
standards should be documented and accessible to all employees.
20.9 These procedures may include standards for:
20.9.1 Acceptance of gifts from clients;
20.9.2 Social liaisons with clients;
20.9.3 Disclosure of information about clients who may be engaged in
criminal activity; and,
20.9.4 Confidentiality.
Page 37 of 82
20.10 The standards should include a code of ethics for the conduct of all
employees and procedures should allow for regular reviews of employees’
performance and their compliance with established rules and standards. It
should also provide for disciplinary action in the event of breaches of
these rules.
20.11 Financial institutions and PSPs should monitor employees paying
particular attention to employees whose lifestyles cannot be supported by
their salary or known financial circumstances.
20.12 Supervisors and managers should be encouraged to know the employees
in their department and investigate any substantial changes in their
lifestyles which do not match their financial condition. Procedures should
provide for special investigation of employees who are associated with
unexplained shortages of funds.
21. CORE OBLIGATIONS OF REPORTING ENTITIES

21.1 The core AML/CFT obligations of reporting designated non-financial
business and professional are set out in sections 24-34 of the MLPC Act.
21.2 These core obligations can be summarised as follows:
21.2.1 To appoint an appropriately qualified and experienced compliance and
reporting officer (CRO) with responsibility for AML/CFT compliance,
and to establish and maintain procedures and systems (including an
audit function and training programme) sufficient to ensure compliance;
and
21.2.2 To apply customer due diligence (CDD)measures, also known as ‘Know
Your Customer’ (KYC) measures, using a risk-based approach, in
Page 38 of 82
respect of all customers, business relationships and transactions (s12B

of the MLPC Act);
21.2.3 To conduct ongoing monitoring of business relationships, including
paying special attention to complex, unusual or large transactions with
no apparent economic/lawful purpose, and relationships and
transactions with persons in high-risk jurisdictions;
21.2.4 To stop acting and terminate any existing business relationship
whenever unable to apply CDD or ongoing monitoring;
21.2.5 To maintain records, including records of all prescribed CDD measures
and all transactions and related correspondence, for at least ten years
from the transaction or correspondence date or the end of the business
relationship;
21.2.6 To report suspicious transactions or attempted transactions to the FIU in
terms section 30 of the MLPC Act, and
21.2.7 To make disclosures required by the Statutory Instrument 56 of 2019,
for the Suppression of Foreign and International Regulation.
21.3 Failure to comply with these core obligations may result in compliance
action by the FIU, disciplinary action by the relevant supervisory
authority (for example, the RBZ), and potentially in criminal prosecution
for breach of the Suppression of Terrorism statutes or complicity in
money laundering.
21.4 It is important to appreciate that the MLPC Act (2018) reflect a risk-
sensitive approach to due diligence and monitoring by reporting entities.
This means that reporting entities are permitted to adopt different
Page 39 of 82
approaches to CDD and ongoing monitoring of customers according to

the different risk ratings of those customers.
21.5 A reporting entity may be allowed to apply ‘simplified due diligence ‘in
certain situations that are deemed to be low-risk for money laundering and
financing of terrorism, and required to implement enhanced measures in
situations that are deemed to be high-risk.
Institutional Risk Assessment

21.6 Prior to conducting the risk assessment, PSPs or FIs should familiarise
themselves with the latest National Risk Assessment (NRA), the Mutual
Evaluation Report of Zimbabwe, any trends and typology reports issued
by Financial Intelligence Unit (FIU) and any other guidance issued by the
RBZ or any arms of Government.
21.7 This will ensure that PSPs or FIs comprehend the ML/TF risk inherent to
them at the national/country level and same is reflected in the risk
assessment conducted at institutional level.
21.8 Furthermore, PSPs or FIs need to ensure that they are aware of the relevant
requirements under the FATF 40 Recommendations which have an
impact on their operations, and keep abreast of developments in the
ML/FT landscape in order to update the risk assessment, as necessary,
with relevant information.
21.9 In assessing ML/TF risks as guided in section 8 above, reporting
institutions are required to have the following processes in place:
21.9.1 Documenting their risk assessments and findings;
Page 40 of 82
21.9.2 Considering all the relevant risk factors before determining what is
the level of overall risk and the appropriate level and type of
mitigation to be applied;
21.9.3 Keeping the assessment up-to-date through a periodic review; and
21.9.4 Having appropriate and clearly defined mechanisms to provide risk
assessment information to the supervisory authority.
21.10 PSPs or FIs do not have to follow all the processes in this Guideline but
should apply the method of risk assessment that best suits its individual
business needs, as long as it is adequate for the business and tailored to
the local context.
21.11 However, they should be able to explain and demonstrate to the Central
Bank, the adequacy and effectiveness of procedures, policies and controls
stated therein, within the context of the Zimbabwe’s AML/CFT
requirements.
Internal Controls, Policies and Procedures

21.12 Reporting institutions and PSPs must:
21.12.1 Have policies, controls and procedures to manage and mitigate
ML/TF risks that have been identified;
21.12.2 Monitor the implementation of those policies, controls, procedures
and enhance them if necessary; and
21.12.3 Take enhanced measures to manage and mitigate the risks where
higher risks are identified.
21.13 Every reporting entity must take appropriate measures to ensure that all
officers, employees, and agents engaged in dealing with customers or
Page 41 of 82
processing business transactions understand and comply with all

applicable AML/CFT requirements.
21.14 Reporting entities who are individuals with no employees or associates
do not have to appoint a separate compliance and reporting officer (CRO)
to implement the procedures and systems set out in the MLPC Act. That
does not, however, excuse the individual from compliance with the core
obligations of CDD, ongoing monitoring, record-keeping, and reporting
suspicious transactions.
21.15 All other reporting entities must appoint a CRO with overall responsibility
for AML/CFT compliance.
21.16 The CRO must be a senior officer who is sufficiently qualified and
experienced to comply with the detailed requirements of the MLPC Act,
to act as the liaison point with the FIU and relevant supervisory authorities
in Zimbabwe, and to command the necessary independence and authority
to train and supervise all other officers, employees, merchants and agents.
21.17 The CRO should at all times be resident in Zimbabwe. In addition, it is
highly recommended that an alternate to the CRO is appointed to assume
the prescribed responsibilities and duties in the CRO’s absence. When
several entities operate closely together within a group, a single CRO at
group level may be designated.
Risk Profiling
21.18 Financial institutions including PSPs must conduct risk profiling on their
customers.
Page 42 of 82
21.19 In profiling the risk of its customers, reporting institutions must consider
the following factors:
21.19.1 Customer risk (e.g. resident or non-resident, type of customers,
occasional or one-off, legal person structure, status as PEP,
occupation);
21.19.2 Geographical location of business or country of origin of customers;
21.19.3 The products, services, transactions or delivery channels (e.g. cash-
based, face-to-face, non-face-to-face, domestic or cross-border); and
21.19.4 Any other information suggesting that the customer is of higher risk.
21.20 The risk control and mitigation measures implemented by reporting

institutions shall be commensurate with the risk profile of a particular
customer or type of customer.
21.21 Upon the initial acceptance of the customer, reporting institutions are
required to regularly review and update the customer’s risk profile based
on their level of ML/TF risks. (Refer to Annexure 3)
Customer Due Diligence

21.22 Customer due diligence (CDD), as defined section 26 of the MLPC Act,
has four key components:
21.23 Identifying customers, including any person acting on behalf of a non-
individual customer, and verifying their identity;
21.24 Where the customer is not the beneficial owner, identifying the beneficial
owner and taking reasonable measures to verify the beneficial owner’s
identity;
Page 43 of 82
21.25 Obtaining enough information about the nature of the business

relationship and the customer or beneficial owner’s business to identify
complex or unusual transactions or patterns of transactions and other
high-risk activity; and, beneficial owner” has the meaning given to it in
section 13;
21.26 Taking reasonable measures to ascertain the purpose of one-off
transactions relating to transactions outside an existing business
relationship that exceed defined thresholds or limits.
Beneficial Owner
21.27 Note that the concept of ‘beneficial owner’ is now extensively defined in
section 13 of the MLPC Act. This should be carefully studied by all
CROs.
21.28 It is critical to emphasise that the concept of beneficial ownership is not
the same as legal ownership and cannot be determined by reference to the
legal position alone. Beneficial ownership is a broader concept which
focuses on real benefit and/or ultimate effective control.
21.29 The four core CDD obligations apply across the full range of business
relationships and transactions that may be undertaken by reporting
entities, and continue after a business relationship has been established.
Ongoing Monitoring
21.30 The CDD obligations are supplemented by the general obligation of all
reporting entities to conduct ongoing monitoring of all business
relationships.
21.31 Ongoing monitoring has two key components:
Page 44 of 82
21.31.1 Scrutinising transactions for consistency with the customer’s

business, risk profile, and source of funds/wealth; and
21.31.2 Keeping all CDD information and documentation up to date.
21.32 The objective of the ongoing monitoring obligation is to identify activities
of customers during the course of a business relationship which are not
consistent with the reporting entity’s knowledge of the customer, or the
purpose and intended nature of the business relationship, and which need
to be assessed for the possibility that the reporting entity may have
grounds to report a suspicion of money laundering or terrorist financing.
21.33 A reporting entity is accordingly obliged to monitor all dealings with a
customer, to the extent reasonably warranted by the customer’s risk
profile, for consistency with the entity’s knowledge of the customer and
the customer’s business and pattern of transactions.
21.34 When scrutinising the source of funds a reporting entity should seek to
discover the origin and the means of transfer for funds that are directly
involved in the transaction (for example, business activities, proceeds of
sale, corporate dividends).
21.35 Furthermore, when scrutinising the source of wealth a reporting entity
should seek to discover the activities that have generated the total net
worth of the customer (that is, the activities that produced the customer’s
funds and property).
21.36 Other measures for on ongoing monitoring of relationships inlcude :
21.37 Review of the customer account/relationship and the risk
classification and undertaking additional due diligence;
21.38 Enhanced monitoring of the relationship/transactions;
Page 45 of 82
21.39 Imposition of restrictions on the customer relationship; or

21.40 Escalation to the relevant senior management level to determine how
to handle the relationship going forward and whether to terminate the
customer relationship.
CDD Measures To Be Applied

21.41 The default position is that CDD requirements are triggered whenever a
reporting entity:
21.41.1 establishes a business relationship;
21.41.2 carries out a one-off transaction, outside an existing business
relationship, that exceeds set limits in cash or wire transactions,
whether in a single or several linked operations;
21.41.3 has doubts about the veracity or adequacy of identification
documentation; or
21.41.4 reasonably suspects money laundering, terrorist financing, or other
serious criminal conduct.
21.42 In the first two situations, the customer’s identity and the nature of the
relevant business or transaction must be verified before the business
relationship is established or the transaction carried out.
21.43 The only exception is for CDD conducted during the establishment of a
business relationship, which is permissible in low-risk situations when
necessary to avoid interruption to the normal conduct of business.
21.44 In this case the CDD must still be completed as soon as practicable after
the relationship is established (refer to FATF -R. 10). What constitutes
an acceptable time for this process must be determined in the light of all
Page 46 of 82
the circumstances, including the nature of the business, the geographical

location of the parties, and whether it is practical to obtain all necessary
documents before commitments are entered into or money changes hands.
21.45 All reporting entities should develop customer profiles based on CDD
information obtained. A customer profile will facilitate the ongoing
monitoring of accounts and transactions and assist the reporting entity to
identify suspicious transactions or patterns of transactions.
21.46 For banks and other financial institutions it is recommended that proof of
sources of wealth and initial source of funds are identified at the outset of
a customer relationship. (Refer to Annexures 3 & 4)
Enhanced Due Diligence

21.47 A number of situations are deemed by the AML/CFT Laws to be
sufficiently high-risk to trigger independent or additional CDD
requirements.
21.48 However, the ultimate responsibility for identifying high-risk situations,
and responding to those risks through enhanced CDD and ongoing
monitoring, rests with reporting entities.
21.49 Reporting entities should have adequate systems in place to identify in
advance the countries in which their customers will be operating or
transacting and, if necessary, to obtain additional supporting
documentation, such as contracts and invoices, to verify the purpose and
commercial reality of a relationship or transaction. (Refer to Annexures 4
& 5).
Page 47 of 82
Politically Exposed Person (PEP)

21.50 Enhanced CDD and enhanced ongoing monitoring (on a risk-sensitive
basis) are required whenever a customer, or any beneficial owner of a
customer, is or becomes a politically exposed person (PEP).
21.51 A ‘customer’ for this purpose includes any person entering a business
relationship or undertaking a one-off transaction with the reporting entity.
21.52 A PEP is defined in section 13 of the MLPC Act as an individual
entrusted with a prominent public function, and includes any immediate
family member or close associate of such an individual. It is important to
note that both local and foreign PEPs are covered by this definition (refer
to the Act).
21.53 A PEP also includes family members and associates, who may have
different names and may not publicise the fact of their association with
the relevant individual. Reporting entities are allowed to rely on public
information in determining whether persons are within the definition of
‘close associates’ (for example, partners or joint ventures), and should
conduct regular searches and checks for this purpose.
21.54 Once a PEP has been identified, a business relationship can only be
established with the approval of senior management, and the reporting
entity must take adequate measures to establish the source of wealth and
the source of funds involved in any proposed relationship or transaction.
Reliance on Intermediaries for CDD

21.55 Section 18 of the MLPC Act allows some reporting entities to rely on
intermediaries to apply CDD measures on their behalf, but only in tightly
prescribed circumstances.
Page 48 of 82
21.56 However, reliance on intermediaries does not excuse reporting entities

from their obligation to make CDD records available on request by the
RBZ and other regulatory bodies.
21.57 MLPC Act 18(4) expressly provides that the ultimate responsibility for
CDD remains with the reporting entity.
21.58 The person relied on may apply CDD measures in respect of a reporting
entity’s customer, any beneficial owner of the customer, any third party
for whom the customer is acting (or beneficial owner of that third party),
and any person purporting to act on the customer’s behalf.
Dormant accounts
21.59 Reactivation of dormant accounts can only be undertaken following
reverification of the account holder in line with the requirements for new
customers.
22. ELECTRONIC FUNDS TRANSFERS

22.1 Section 27 of the MLPC Act applies specifically to reporting entities
which are licensed as financial institutions or payment systems providers
in Zimbabwe.
22.2 When these entities provide electronic funds transfers for their customers,
they are required to include accurate, unique identifier number, addresses,
paying and receiving banks or entities, originator, recipient, amount and
other related information or messages on the transfer and to ensure that
the same information remains with the transfer.
22.3 This obligation should be read together with the requirements of the
National Payment System Act and Guidelines.
Page 49 of 82
22.4 Reporting entities should ensure that they obtain full name and address
information from the ordering customer for all credit/debit transfers made
by electronic means, both domestic and international, regardless of the
payment or message system used.
22.5 To ensure that the SWIFT system is not used by criminals as a means to
break the audit trail, when sending SWIFT MT 100 messages (customer
transfers), reporting entities should accurately complete the fields for both
the ordering and beneficiary customers with their respective names and
addresses.
22.6 In addition, when the transfer is the result of a credit or debit card
transaction, it is not necessary to include or keep originator information
as long as the credit or debit card number is included with the transfer.
22.7 Records of electronic payments and associated messages must be treated
in the same way as any other transaction records and kept by the reporting
entity in an accessible form for a minimum of ten years (refer section 9.2
Guidelines for Retail Payment Systems and Instruments 2017).
23. NON-FACE-TO-FACE SITUATIONS

23.1 Any non-face-to-face transactions or contact between reporting entities
and customers inevitably poses difficulties for customer identification.
Reporting entities are nevertheless obliged to apply equally effective
customer due diligence and ongoing monitoring procedures for non-face-
to-face customers.
23.2 Financial institutions in particular are increasingly requested to open
accounts or electronic wallets on behalf of customers who do not present
Page 50 of 82
themselves for personal interview. An institution is obliged to put specific

and adequate measures in place to mitigate this higher risk and to take
particular care in supervising the account opening process.
23.3 It may be inappropriate to accept photographic evidence of identity, for
example, as there is a greater difficulty in matching the purported
customer with the documentation supplied.
23.4 However, examples of good practice measures for risk mitigation in the
non-face-to-face context include:
23.4.1 Requiring additional documents;
23.4.2 Requiring certification of documents presented by a notary,
diplomatic official, or equivalent independent professional;
23.4.3 Independent contact with the customer;
23.4.4 Third party introduction, where consistent with the AML Regulations
regarding reliance on intermediaries to conduct CDD on the reporting
entity’s behalf; and
23.4.4.1.1 Reporting institutions may rely on third parties to conduct
CDD or to introduce business.
23.4.4.1.2 The ultimate responsibility and accountability for CDD
measures shall remain with the reporting institution relying
on the third parties.
23.4.4.1.3 Reporting institutions shall have in place internal policies
and procedures to mitigate the risks when relying on third
parties.
Page 51 of 82
23.4.5 Requiring an initial payment to be carried through an account in the

customer’s name with another bank subject to equivalent CDD
requirements, in particular diasporians requiring such services.
24. REMITTANCES
24.1 Full details of all remittances, as required by law, must be recorded
including names of the beneficiary.
24.2 If information as required by law relating to the name of the originator
(including details of the transaction) is not provided by the customer, then
the transaction should not be processed and the PSP or FI should consider
submitting a report to the FIU.
24.3 If staff have any concerns about the validity of the documents provided
by the customer, reference must be made to senior management and/or the
compliance officer before conducting the transaction. Copies of
supporting documents must be kept together with the payment system or
wire transfer application form.
24.4 In circumstances where the PSP/FI’s knowledge of the customer is not
consistent with the value or purpose of the remittance but staff are satisfied
regarding the explanation given for the remittance, the remittance may be
processed for payment.
24.5 Future requests to transfer funds should be monitored against the
customer profile to confirm or deny the initial explanation. Should staff
form a view that the customer may be involved in money laundering or
terrorist financing, a suspicious transaction report must be completed and
submitted to the compliance officer.
Page 52 of 82
24.6 Payment of cash in excess of the threshold amount, to non-bank account

holders through the PSP or wire transfer will require evidence of the
remitter’s name, address, and account number or unique identification
number. An explanation for the source of the funds and their purpose
should also be obtained. If the funds are to be collected by the beneficiary,
then evidence of proof of identity of the beneficiary should also be
provided.
24.7 Where inward remittances are received that do not include the required
information as specified by law, the wire transfer should approach the
remitting bank to obtain missing information. If the information is not
provided, the wire transfer may, depending on the size and nature of the
transaction, accept the payment and provide funds to the beneficiary,
decline to accept the funds and return the funds to the sending institution,
or, through the compliance officer, submit a report to the FIU.
24.8 Alternative remittance systems:
24.8.1 Unregulated remittance systems such as hawala and other informal
mechanisms. These systems often have traditional roots or ethnic ties
and operate in jurisdiction where the formal systems are less
functional or not established. Notably, funds can be transferred
without any documentation.
24.8.2 Cash couriers: Cash is smuggled across borders, for example through
border jumping or crossings and truck shipments where borders are
uncontrolled or have limited capacity to monitor.
Page 53 of 82
24.8.3 False invoicing: False trade invoicing provides a means to transfer

money between jurisdictions by overstating the value of the goods or
services for which payment is due.
24.8.4 High-value commodities: Commodities like gold and diamonds can
also be used to transfer value across borders as both are easy to
convert into cash.
25. CONFIRMATION OF IDENTITY BY OTHER INSTITUTIONS

25.1 The obligation to verify identity using the best evidence and means
available rests with the reporting entity opening the account or
establishing the relationship.
25.2 In cases where a reporting entity is not satisfied with the documentary
evidence provided or with the results of public enquiries, it may need to
approach another institution, on a non-competitive basis, specifically for
the purpose of verifying identity.
25.3 A standard format can be used for making such enquiries. It may be
necessary to obtain the prior consent of the prospective client for
disclosure of their information by the other financial institution.
26. NON-RESIDENT PERSONAL CUSTOMERS

26.1 Persons who are not resident in Zimbabwe but who wish to open
electronic wallets or accounts or establish other business relationships
with reporting entities in the jurisdiction are subject to verification
procedures similar to those for resident customers.
26.2 Address verification can pose difficulties. However, passports or national
identity cards will always be available. It is impractical to set out detailed
Page 54 of 82
descriptions of the various identity documents that might constitute

acceptable evidence of identity by foreign nationals.
26.3 Reporting entities may wish to verify identity with a reputable credit or
financial institution in the applicant's country of residence. Alternatively,
a police character certificate from the applicant’s country of residence
may be sought.
26.4 For prospective non-resident customers who wish to open electronic
wallets or accounts without appearing in person, it will not be practical to
seek sight of an original passport or national identity card. Copies should
be certified by notaries, diplomatic officials, or equivalent independent
professionals.
26.5 Verification of identity and address should also generally be sought from
a reputable credit or financial institution in the applicant's country of
residence. Steps should be taken to verify the applicant’s signature.
27. COMPANIES AND OTHER LEGAL ENTITIES

27.1 For customers that are legal persons, reporting institutions are required to
understand the nature of the customer’s business, its ownership and
control structure.
27.2 Corporates have a high potential of concealing beneficial ownership,
company bank accounts or mobile banking agents or merchants are one
of the most high-risk vehicles for money laundering, particularly when
opened and ostensibly operated by a legitimate trading company.
Page 55 of 82
27.3 Additional obligations for assessing corporate activities focus on

knowledge of and about the beneficial owners and any other persons
authorised to act on behalf of the account holder.
27.4 Obtaining information on the purpose and nature of the business
relationship, including proof of sources of wealth and initial source of
funds, is also particularly important, to enable the reporting entity to
conduct meaningful ongoing monitoring.
27.5 Before a business relationship is established with a legal entity, and at
appropriate regular intervals after the relationship is established, measures
should be taken by way of a company search and/or other commercial
enquiries to ensure that the applicant company has not been, or is not in
the process of being, dissolved, struck off, wound up or terminated.
27.6 Further checks should be made whenever the reporting entity becomes
aware of changes in the management or ownership structure.
28. CORRESPONDENT BANKING SERVICES

28.1 Licensed financial institutions in Zimbabwe may not enter into cross-
border correspondent banking relationships without satisfying a number
of additional controls set out in section 21 of the MLPC Act, including:
28.1.1 Fully understanding the nature of the business of the proposed
correspondent bank or payment service provider;
28.1.2 Being satisfied on reasonable grounds as to the reputation, quality of
supervision, and AML/CFT financial controls of the proposed
correspondent;
Page 56 of 82
28.1.3 Documenting the responsibilities of the proposed correspondent in

applying AML/CFT controls;
28.1.4 Being satisfied on reasonable grounds that CDD and ongoing
monitoring measures are being properly applied to customers with
direct access to any payable-through account held with the bank in the
name of the proposed correspondent, and that CDD documentation is
available to the bank on request; and,
28.1.5 Obtaining approval of the Board of Directors.
28.1.6 Regulated entities or payment services providers in Zimbabwe are not
permitted to enter into or continue correspondent banking relationships
with shell banks, nor with banks that permit their accounts to be used
by a shell bank.
29. SUSPICIOUS TRANSACTION REPORT (STR)

29.1 PSPs as reporting institutions must promptly submit a suspicious
transaction report to the Financial Intelligence Unit whenever the
reporting institutions suspect or have reason to suspect that the transaction
(including attempted or proposed transaction), regardless of the amount.
29.2 Section 13 of the MLPC Act, defines the Suspicious Transaction
Report(STR).
29.3 Financial institutions or Payment Service Providers are required by
section 30 to make a suspicious transaction report (STR) in any situation
in which the reporting entity deems necessary in line with MLPC Act as
follows:
Page 57 of 82
29.3.1 Has knowledge or reasonable grounds to suspect that any service or

transaction may be related, directly or indirectly, to the commission of
criminal conduct (but not limited to money laundering or terrorist
financing) or to money or property that is or represents the benefit of
criminal conduct;
1) Has information that may be relevant to an act preparatory to an
offence or to money or property that is or represents the benefit of
criminal conduct;
2) Has information that may be relevant to an investigation or
prosecution of a person for criminal conduct; or
3) Has information that may be of assistance in enforcing the
AML/CFT Acts.
29.4 It is also important to appreciate that there may be an obligation to make
an STR in the absence of any transaction or proposed transaction.
Reasonable grounds for suspicion can arise in the context of any service
provided by a reporting entity.
29.5 It is not only reporting entities that are obliged to make STRs. Section 30
of the MLPC Act provides that supervisory authorities and auditors of
reporting entities must make an STR where any transaction or attempted
transaction by or through the entity is reasonably suspected by the
authority or auditor to be related to the commission of criminal conduct
(or an act preparatory thereto) or of assistance in the enforcement of the
Act.
29.6 The obligation to make STRs under the MLPC Act complements the
duties of disclosure of good corporate citizen require all persons (not just
Page 58 of 82
reporting entities) to disclose to the authorities any information that will

assist in the prevention or detection of money laundering and terrorist acts,
including information about any property in his or her possession or
control that is known to be owned or controlled by or on behalf of a
terrorist group, in the circumstances set out in that Suppression of Foreign
an International Terrorism Act.
29.7 It should be noted that if a reporting entity permits a service or transaction
to proceed where the timely making of a STR would have prevented that
service or transaction from taking place, that reporting entity is likely to
have committed the offence of money laundering and financing of
terrorism.
30. TIPPING OFF AND PROTECTION FROM LIABILITY

30.1 The MLPC Act, section 31 requires all officers, employees, and agents of
reporting entities to exercise the utmost confidentiality on issues related
to money laundering and terrorist financing.
30.2 However, the Act also provides protection for CROs and others who
discharge their statutory responsibilities in good faith.
30.3 In cases where the reporting institution forms a suspicion of ML/TF and
reasonably believes that performing the CDD process would tip off the
customer, the reporting institution is permitted not to pursue the CDD
process. In such circumstances, the reporting institution may proceed with
the transaction and immediately file a suspicious transaction report.
30.4 Reporting institutions shall observe the prohibition of tipping-off as
stipulated under section MLPC Act, section 31.
Page 59 of 82
31. MANAGEMENT INFORMATION SYSTEM (MIS),

31.1 PSPs as reporting institutions must have in place an adequate management
information system (MIS), to complement and support its CDD process.
31.2 The MIS is required to provide the reporting institution with timely
information on a regular basis to enable the reporting institution to detect
irregularity and/or any suspicious activity.
31.3 The MIS shall be commensurate with the nature, scale and complexity of
the reporting institution’s activities and ML/TF risk profile.
31.4 The MIS must be able to capture, at a minimum, information on multiple
transactions over a certain period, large transactions, anomalies in
transaction patterns, customers’ risk profiles and transactions exceeding
any internally specified threshold.
31.5 The MIS shall be able to aggregate customer transactions from multiple
accounts and/or from different systems.
31.6 The MIS may leverage on and be integrated with the reporting
institution’s existing information systems that support its business
operations to the extent that customer information captured in such
systems is accurate, up-to-date and reliable.
32. TRAINING AND AWARENESS PROGRAMMES

32.1 An integral element of the fight against money laundering and the
financing of terrorism is the awareness of those charged with the
responsibility of identifying and analysing potential illicit transactions.
32.2 Therefore, in accordance with MLPC Act, PSPs or financial institutions
are required to ensure that appropriate training is conducted with board
Page 60 of 82
of directors and all relevant employees (on an ongoing basis) to equip

them to perform their obligations in respect of AML/ CFT requirements.
32.3 PSPs or financial institutions should conduct AML/CFT training for all
new board of directors and relevant employees and should at least on an
annual basis conduct refresher training programmes to ensure that
employees remain familiar with and are updated in regards to their
responsibilities.
32.4 Refresher programmes should address among other things new
AML/CFT typologies, legislative updates (including new and proposed
amendments) and international developments in AML/CFT.
32.5 At a minimum, a financial institution is required to:
32.5.1 Develop an appropriately tailored training and awareness programme
consistent with the financial institution’s size, resources and type of
operation to enable relevant employees to be aware of the risks
associated with ML and TF;
32.5.2 The training should also ensure employees understand how the
institution might be used for ML or TF; enable them to recognize and
handle potential ML or TF transactions; and to be aware of new
techniques and trends in money laundering and terrorist financing;
32.5.3 Document, as part of their AML/ CFT policy document, their
approach to training, including the frequency, delivery channels and
content;
32.5.4 Ensure that all employees are aware of the identity and
responsibilities of the CO to whom they should report unusual or
suspicious transactions;
Page 61 of 82
32.5.5 Establish and maintain a regular schedule of new and refresher

programmes, appropriate to their risk profile, for the different types
of training required for:
32.5.5.1.1 new employees;
32.5.5.1.2 operations employees;
32.5.5.1.3 agents
32.5.5.1.4 supervisors;
32.5.5.1.5 board and senior management; and
32.5.5.1.6 audit and compliance employees.
32.5.6 Obtain an acknowledgement from each employees on the training
received;
32.5.7 Assess the effectiveness of training; and,
32.5.8 Provide all relevant employees with reference manuals/materials that
outline their responsibilities and the institution’s policies. These
should complement rather than replace formal training programmes.
32.6 The effectiveness of the institution’s training programme may be assessed
by:
32.6.1 Testing employees’ understanding of the policies and procedures to
combat ML/TF, the understanding of their statutory and regulatory
obligations, and also their ability to recognize suspicious
transactions; and
32.6.2 Monitoring the compliance of employees with the AML/CFT
procedures as well as the quality and quantity of internal reports so
that further training needs may be identified and appropriate action
can be taken.
Page 62 of 82
32.7 Financial institutions are also required to maintain records of employee

training which at a minimum should include:
32.7.1 The names of employees who have received the training;
32.7.2 The date on which the training was delivered;
32.7.3 The results of any testing carried out to measure employees
understanding of the anti-money laundering requirements; and
32.7.4 An on-going training plan.
32.8 Risk management systems should depend on the size and complexity of
each payment system provider.
32.9 All sound risk management programs, however, have several common
fundamentals. Regardless of the risk management program’s design, each
should include: risk identification, risk measurement, risk control and risk
monitoring.
PREPARED BY : NATIONAL PAYMENT SYSTEMS DEPARTMENT
APPROVED BY : J. MUTEPFA, DEPUTY DIRECTOR FINANCIAL MARKETS
SIGNATURE :
DATE : 15 JANUARY 2021
Page 63 of 82
ATTACHMENT OF ANNEXURES
ANNEXURE 1
Board of Directors and Senior Management Responsibilities
a) Board of Directors and Senior Management at minimum are required to:

 undertake a risk assessment which identifies the vulnerability of the
PSP/financial institution to be used to launder money or finance
terrorists;
 on the basis of the risk assessment, implement a risk management
framework to ensure that the PSP/FI is not used to launder money
or finance terrorists;
 ensure that the risk management framework is risk based with
sufficient resources being devoted to dealing with higher-risk
customers and transactions;
 ensure that the PSP/FI has appropriate compliance management
arrangements, including the appointment of a compliance officer at
management level; and;
 devote sufficient resources to deal with money laundering and
terrorist financing, including ensuring that the compliance function
is adequately resourced and that staff receive appropriate and
adequate training.
 carry out a risk assessment, which should be reviewed and updated

on a regular basis, identifying where the business is vulnerable to
ML and TF;
Page 64 of 82
 based on the risk assessment, develop internal policies, procedures,

and controls to combat money laundering and the financing of
terrorism;
 ensure staff effectively implement the internal policies, procedures,
and controls and receive appropriate training;
 monitor the effective implementation of the policies, procedures,
and controls and make improvements where required on the basis
of changes to the ML and TF risk assessment or as recommended
by the supervisory agency and/or the FIU.
 ensure effective implementation of a risk based approach to the
management of money laundering and terrorist financing risk. The
management of risk needs to be reviewed and updated from time to
time to reflect changes in the institution ’s strategy or other factors
such as changes to the law.
 Ensure policies and procedures should take into account risk factors
relating to the customer, product and service, delivery channel, and
geographic location of the customer. Where higher risks are
identified, based on the institution’s risk assessment, the staff must
take extra measures and senior management should ensure that the
staff fully understand and implement the requirements of the
policies and procedures.
 ensure that there is documented evidence of its oversight function,
for example, in minutes of meetings of the Board (or committees of
the Board).
Page 65 of 82
b) Ensuring that the Board receives the requisite training on AML/CFT

generally as well as on the institution’s specific AML/CFT risks and
controls;
c) Ensuring receipt of regular and comprehensive reports on the financial
institution’s AML/CFT risks from the senior management, including but
not limited to:
 Remedial action plans if any, to address the results of
independent audits (either internal or external); regulatory
reports received from the Central Bank or other regulators on its
assessment of the institution’s AML/CFT program; and results
of compliance testing and self-identified instances of non-
compliance with AML/CFT requirements;
 Recent developments in AML/CFT laws and regulations and
implications if any, to the financial institution;
 Details of recent significant risk events and potential impact on
the financial institution; and,
 Metrics including but not limited to, statutory reporting to the
FIU, orders from law enforcement agencies, refused or declined
business and de-risked relationships.
Page 66 of 82
ANNEXURE 2
General Guidance to Risk Based Approach
PSPs and participating institutions may conduct their internal money
laundering and financing of terrorism risk assessments (for their customers,
products & services, transactions channels and geographic areas) with the
purpose to develop their own policies and procedures, in order to identify,
assess, manage and mitigate related risks on ongoing basis.
It is always advisable that measures to prevent ML/FT risks are commensurate

to the risks identified for effective mitigation. Such risk assessments are
generally based on perception, subjective judgment and experience of banks
about risk regarding aforesaid elements.
In this regard, the major considerations for PSPs/FIs may be:
i) Quantification of risk through a risk Matrix: A matrix which quantifies

likelihood and impact/consequences on two dimensions may be
developed thereby categorizing risk as low, medium, high or any
appropriate scale.
ii) It is pertinent to mention here that without proper quantification of
risks, it may be difficult to decide which customer qualifies for
simplified due diligence (SDD) or enhanced due diligence (EDD).
iii) Risk Register: A risk register may be developed whereby risks

emanating from various business aspects can be accounted for. These
may include the following:
Page 67 of 82
a. Customers: Identifying risk determinants while establishing

relationships with customer;
b. Products: Envisaging risk attributes resulting from customer’s need
for financial services and appropriate controls;
c. Delivery Channels: Identifying risks associated with delivery
channels which may vary from customer to customer depending on
their needs; and,
d. Geographic/Jurisdictional: Risks resulting from customer
geographic presence and jurisdiction in which the customer is
operating.
iv) Controls: After assessing the risks the controls are reviewed and
assessed whether these are effective to cater to the risks.
v) Residual Risk: In the next step, after assessing the risks controls are
accounted for to quantify the residual risks.
vi) Risk decision: After identification and quantification of inherent risks,
controls and residual risks, the decision should be taken. For example,
while establishing relationship the decision whether to take the
customer on-board, mark as high risk or refuse to accept the customer
etc.
Risk-Based Approach Cycle

i) The following cycle represents the six steps of the risk-based approach:
ii) Identification of inherent risks (business-based risk assessment along
with the relationship-based risk assessment);
a. Setting risk tolerance;
Page 68 of 82
b. Creating risk-reduction measures and key controls;

c. Evaluating residual risks;
d. Implementing risk-based approach; and
e. Reviewing risk-based approach.
iii) All PSPs and FIs should complete the risk based template to determine
the potential risk levels. (see Annexure 1).
Risk Based Annexure 1-Table
Correlation Importance
of indicator of
To Risk indicator**
5 Very high, Institution's Risks for
each indicator***
Indicator* 4 High,
3 Medium,
2 Low
Name of
1 Very low OVERALL
Institution
Corporate Governance Positive Very high, Very low Very low
ML/TF risk level for the sector Positive Very high, Very low Very low
Legal Framework Clarity Positive Very high, Very low Very low
Size of Institution Positive Very high, Very low Very low
Complexity & No of Products Positive Very high, Very low Very low
Geographical Spread Positive Very high, Very low Very low
Transactional Values Positive Very high, Very low Very low
Customer Base Positive Very high, Very low Very low
High Net Worth Customers Positive Very high, Very low Very low
Foreign Customers Positive Very high, Very low Very low
Foreign Customers from High Risk Countries Positive Very high, Very low Very low
Customers with Predictable Sources of Income Positive Very high, Very low Very low
Customers with Unpredictable Sources of
Positive Very high, Very low Very low
Income
PEPS Positive Very high, Very low Very low
Page 69 of 82
Cash Transactions Positive Very high, Very low Very low

Internal Controls Positive Very high, Very low Very low
Third Party Payments Positive Very high, Very low Very low
Payments terms outside norms Positive Very high, Very low Very low
Risk Appetite Positive Very high, Very low Very low
Staff Knowledge Positive Very high, Very low Very low
Overall Very high, Very low Very low
Page 70 of 82
ANNEXURE 3
Risk Profiling of Customers
PSPs and participating institutions(FI) should profile every new customer
using their own judgment and information obtained through CDD/KYC
process. A template of Customer Risk Profiling (CRP) is provided at
‘Annexure-3A’ for guidance in order for respective institutions to develop
their own CRP formats considering their business activities, customer base
and internal procedures etc.
PSPs and all FIs are required to have adequate policies and processes,
including strict customer due diligence (CDD) rules to promote high ethical
and professional standards in the digital financial services sector and prevent
the institution from being used, intentionally or unintentionally, for criminal
activities.…
Adequate policies and processes’ in this context requires the implementation

of other measures in addition to effective CDD rules. These measures should
also be proportional and risk-based, informed by PSPs’ own risk assessment
of ML/FT risks. Such policies and procedures should require basic due
diligence for all customers and commensurate due diligence as the level of
risk associated with the customer varies.
For proven lower risk situations, simplified measures may be permitted, if this
supported with the appropriate customer risk profiling.
Page 71 of 82
It is important that, the customer acceptance policy is not so restrictive that it

results in a denial of access by the general public to digital financial services,
especially for people who are financially or socially disadvantaged.
Annexure 3A.
A Template of Customer Risk Profiling (CRP) Form

Assigned
Risk Risk
Determinants Risk Variables/ Determinants Weight
Exceptions in getting KYC related information
from
customer 1
High net worth customer or high value transactions 6
Politically exposed person, its close associate or
family
member 10
Relatively complex control/ ownership structure 9
Reliability of verification measures 3
Unclear source of funds or income from
undocumented
sources 6
Beneficial ownership of funds may not belong to
Customer customer 5
Use of products & services which entail non face-
to-face conduct 7
Customer seeks private banking or other riskier
services 5
Customer subscribes for International/ foreign
Product & products & services 4
Services Excessive use of funds remitting instruments 5
Large wire-in/wire-out or inland online transfers
6
Level of cash based transactions 7
Channels Element of anonymity in transactions 8
Customer is based or linked to High Risk
Jurisdictions as per FATF 9
Customer is based or linked to UN Sanctioned
Countries 10
Locations
Page 72 of 82
Customer's link to offshore centers or tax heavens 12

Name matches with databases i-e World Check,
OFAC, EU lists etc 9
Volumes 4
Values 3
Transaction Frequency 1
Limits 4
Red Alerts or guidance provided by FIU on ML/FT
typologies 5
Others
TOTAL 139
Please note that risk weight assigned as above have

been selected according to prevalence of risk i-e.
Never = 0 Low = 5 Moderate = 10
Scale High = 20
Benchmarking
Risk Score Range Rating
Below 50 1
51 - 80 2
→81 - 110 3
111 - 140 4
141 - 170 5
170 & above 6
Rating Customer Risk Profiling Check

1 to 2 Low Risk
3 to 4 Moderate Risk 139
5 to 6 High Risk
Customer Risk Profile is re-considered in line with
predefined criteria of PSP/FI's own Internal Risk
Assessment Moderate Risk
Date
Prepared by: ………………………………… ………………..
Date
Reviewed by: ………………………………… ………………..
Date
Approved by: ………………………………… ………………..
Page 73 of 82
ANNEXURE 4
Specific High Risk Elements and Recommendations for EDD
Some of the relatively high risk elements identified by regulators and recommended actions for EDD may be
but not limited as under; Refer
Type of Customer Suggested EDD
1 NPOs/NGOs/ Charities, In relation to these customers, FIs may seek:

Trusts, Clubs, Societies,
and Associations etc (i) A declaration from responsible authorities of Trustees/Executive
Committee/sponsors on ultimate control, purpose and source of funds
etc;
(ii) An undertaking from responsible authorities of Trustees/Executive
Committee /sponsors to inform the FIs about any change of control or
ownership during operation of the account; and
(iii) A fresh resolution of the responsible authorities of the entity in case of
change in person(s) authorized to operate the account.
Maids/housewives In relation to housewife accounts, FIs may seek;
(i) A self-declaration for source and beneficial ownership of funds;

(ii) Updated details of funds providers, if any along with customer’s
profile; and
(iii) To identify and verify funds providers if monthly credit turnover
exceeds an appropriate threshold to be decided by FIs.
Proprietorships and self- In relation to these accounts, following measures may be taken by FIs:
employed individuals/
professionals (i) The business transactions in personal accounts of proprietors may only be
permitted by linking it with account/business turnover. For example, such
customers having monthly turnover equivalent to say USD10,000.00 or
above may be required to open a separate account for business related
transactions; and
Page 74 of 82
(ii) In order to verify the physical existence of business or self-employment

status, FIs may conduct physical verification within seven working days
of the opening of account and document the results thereof on account
opening form. In case of unsatisfactory verification, FI may consider
reporting it to FIU and/or may change risk profile, as may deemed
appropriate.
Products & Services Suggested EDD
Online transactions/ In relation to such transactions, FIs should pay special attention to
remittances /e-payments geographical factors/locations for movement funds.
Delivery Channel Suggested EDD
Cash In relation to cash transactions, FIs may:
(i) Monitor cash transactions on enhanced basis by applying relatively

stringent thresholds, as deemed appropriate; and
(ii) Pay special attention on cash based transactions considering examples
of high risk customers.
Wire transfers In relation to wire transfers, FIs may:
(i) monitor such transactions on enhanced basis by applying relatively

stringent thresholds, as deemed appropriate; and
(ii) Ensure that funds transfers which are out of character/ inconsistent
with the history, pattern, source of earnings and purpose, shall be
viewed with suspicion and properly investigated for appropriate
action, as per AML/CFT law.
Page 75 of 82
ANNEXURE 5
General High Risk Factors
In respect of general high risk elements mentioned at section (20) above, PSPs
or FIs may conduct EDD measures which are effective and commensurate to
the level of risks.
At minimum, the following high risk elements/factors should also be

considered as per international standards.
Customers Activities Geography or Locations

i) Cash intensive or other forms of
i) Non-resident customers i) The jurisdictions which have
anonymous transactions
ii) Correspondent banks’ been identified for inadequate
ii) Payment received from
accounts AML/CFT measures by FATF
unknown or un-associated third
iii) Non-face-to-face business or called for taking counter-
parties
relationships or transactions measures
iii) Private banking relationships
Customers with links to ii) Countries identified by
iv) Informal business with
offshore tax havens credible sources such as mutual
relatively large transactional
iv) Customers in high-value evaluations or detailed
activities not consistent with the
items etc assessment reports, as having
nature of legal activities
v) High net worth customers inadequate AML/CFT
with no clearly identifiable standards
source of income iii) Countries subject to
vi) There is a doubt about the sanctions, embargos, for
veracity or adequacy of example, the United Nations
available identification data sanction list.
on the customer iv) Countries identified by
vii) There is reason to believe credible sources as having
that the customer has been significant levels of corruption,
refused banking facilities by or other criminal activity
another FIs v) Countries or geographic areas
identified by credible sources
Page 76 of 82
viii) Companies that have as providing funding or support

nominee shareholders or for terrorism activities
shares in bearer form
ix) Legal persons or
arrangements that are
personal asset holding
vehicles
Examples of such EDD measures may include:
i) Obtaining additional information on the customer (occupation, volume of assets, address,

information available through public databases, internet, etc);
ii) Reducing interval for updating and reviewing customer risk profile; (c) Reducing interval for
updating the identification data of customer and beneficial owner;
iii) Obtaining additional information on the intended nature of the business relationship;
iv) Obtaining information on the reasons for intended or performed transactions;
v) Obtaining additional information on the sources of funds or sources of wealth of the customer;
vi) Obtaining the approvals of senior management to commence or continue the business relationship;
vii) Conducting enhanced monitoring of the business relationship, by increasing the number and timing
of controls applied and selecting patterns of transactions that need further examination;
viii) A signatory who is neither a beneficial owner nor a key principal may also be verified if they were
the principal contact with the FI acting on behalf of directors or owners with whom the PSPs had
little or no direct contact; and
ix) Documentary evidence may be sought to support transaction where possible, e.g. purchase of
property etc
High Risk Businesses Potential Risk
Cash-intensive businesses such as  Difficulty in identifying unusual activity

restaurants, retail stores,  No proper record management
hypermarkets  Inability to verify the source of funds
 Acting as fronts company for terrorists and money
launderers
Offshore corporations located in  Entity located in countries where the level of
tax havens transparency is low.
Leather goods stores  Businesses can be used to conceal the illegitimate
activities.
Page 77 of 82
Exchange Houses  Weak anti-money launderers Controls.

Luxury goods dealerships;  Goods used by Money Launderers in the integration
stage.
Used-cars and truck-dealers  Activities using cash in the payment process which can
facilitate money laundering and terrorist financing.
Travel agencies;  Can be used by money launderers to legitimate
illegitimate funds.
Brokers/dealers in securities;  Risk of money laundering, financial crimes such as
fraud.
Jewels, gem and precious metals  Used by money launderers and arms dealers as payment
dealers; methods.
Import/ export companies;  Can be used to import and export prohibited goods to
sanctioned countries.
Gatekeepers(Lawyers, notaries,  Can be acting on behalf of the UBO and facilitating the
accountants, investments money launderers.
advisors, trust and company
service providers)
Free zone companies  Beneficial ownership difficult to identify and can be
used as fronts for sanctions entities
General Trading  Difficulty in identifying the underlined business
activities, since the company can be involved in
multiple businesses activities.
General Low Risk Factors

There may be circumstances where the risk of money laundering or financing
of terrorism may be low, for example where information on the identity of the
customer and the beneficial ownership is publicly available.
In such circumstances, and provided there has been an adequate analysis of

the risk by the PSP or FI, simplified customer due diligence (SDD) measures
may be applied. Examples of such low risk scenarios/factors may include:
Description Factors
General low risk i) A financial institution regulated/ supervised by the Central Bank except
factors for cooperatives;
customers
Page 78 of 82
ii) A entity regulated/ supervised by Securities Exchange Commission of

Zimbabwe (SECZ)and Insurance Pension Commission unless an entity is
notified for application of the requirements;
iii) A government entity;
iv) A foreign government entity;
v) Public administrations or enterprises;
vi) An entity listed on Zimbabwe Stock Exchange; and
vii) An entity listed on a Stock Exchange outside Zimbabwe that is subject to
regulatory disclosure requirements and its information is publically available
Low risk factors i) Basic Low KYC Accounts;

for Products and ii) Low value accounts having monthly credit turnover below defined threshold;
Transaction iii) Salary accounts of individuals subject to the condition that account is not used
Channel for other than salary purposes;
iv) Pension accounts for direct credit of pensions;
v) Remittance cards restricted to receive inward remittances only; and
vi) Other financial products or services that provide appropriately defined and
limited services to certain types of customers so as to increase access to
financial services
Low risk factors i) Country identified by credible sources such as mutual evaluation or detailed
for Geography assessment reports, as adequately complying with and having effectively
or Locations implemented the FATF Recommendations; and
ii) Country identified by credible sources as having a low level of corruption, or
other criminal activity.
Examples of i) Decreasing the frequency of customer identification updates;

some SDD ii) Reducing the degree of on-going monitoring and scrutinizing transactions based
measures on a reasonable monetary threshold; and
iii) Not collecting specific information (no exemption shall be presumed in respect
of minimum documents prescribed in MLPC Act and Suppression of
International Terrorism Regulations or carrying out specific measures to
understand the purpose and intended nature of the business relationship, but
Page 79 of 82
intended purpose and nature of account may be ascertained from the relationship
established or from the type of transactions.
In relation to above, SDD measures should not be considered in following

situations:
i) When there is a suspicion of money laundering or financing of terrorism;

ii) There are no exceptions in reporting suspicion to FIU within the provisions of
MLPC Act.
iii) In case of certain high risk factors are identified by Central Bank, by PSP or FI
in its own internal risk assessment or as per international standards viz-a-viz
FATF Recommendations etc.
iv) In relation to customers that are from or in jurisdictions which have been
identified for inadequate AML/CFT measures by FATF or identified by the PSP
or FI itself having poor AML/CFT standards or otherwise identified by the
Central Bank,
Page 80 of 82
ANNEXURE 6
Other Sources of AML/CFT Guidance
The Financial Action Task Force has prepared a number of documents that provide detailed
guidance to a reporting entity to assist them better implement their AML/CFT obligations
under domestic legislation. Some of the guidance documents a reporting entity may
consider consulting include the following:
i) FATF Guidance for Financial Institutions in Detecting Terrorist Financing (2002).

http://www.fatfgafi.org/media/fatf/documents/Guidance%20for%20financial%20insti
tutions%20in%20detecting%20terrorist%20financing.pdf
ii) FATF Guidance on the Risk-Based Approach for the Banking Sector (2014)
http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-
Banking-Sector.pdf
iii) Guidance for a Risk-Based Approach for Money or Value Transfer Services (2016)
http://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-
value-transfer-services.pdf
iv) Anti-Money Laundering and Combating the Financing of Terrorism General

Guidelines, 2017 Page 19 of 20 d. Guidance for a Risk-Based Approach to Prepaid
Cards, Mobile Payments and Internet-Based Payment Services (2013)
http://www.fatfgafi.org/media/fatf/documents/recommendations/Guidancerisk-
based approach-NPPS.pdf
v) Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion

(February 2013).
http://www.fatfgafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_
Financial_Incl usion_2013.pdf
Page 81 of 82
vi) Guidance on Transparency and Beneficial Ownership (2014)

http://www.fatfgafi.org/publications/fatfrecommendations/documents/transparenc
y-andbeneficial-ownership.html
vii) FATF Guidance Politically Exposed Persons (2013) http://www.fatf-

gafi.org/media/fatf/documents/recommendations/GuidancePEP-Rec12-22.pdf
viii) The Implementation of Financial Provisions of United Nations Security Council

Resolutions to Counter the Proliferation of Weapons of Mass Destruction (2013)
ix) http://www.fatf-
gafi.org/media/fatf/documents/recommendations/GuidanceUNSCRS-Prolif-
WMD.pdf
x) Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion

(2013)
http://www.fatfgafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_
Financial_Incl usion_2013.pdf
Page 82 of 82

Aml Rba Oversight Guideline 2021

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aml Rba Oversight Guideline 2021

Uploaded by

Copyright:

Available Formats

RESERVE BANK OF ZIMBABWE

NATIONAL PAYMENT SYSTEMS

ANTI-MONEY LAUNDERING -RISK-BASED

Institutional Risk Assessment ........................................................ 40

Risk Profiling of Customers .......................................................... 71

“Financial institution” means any person who conducts a business on one

(a) Recognised payment systems provider in terms of the

(b) Participant bank or entity on a recognised payment systems;

(c) Third party services provider to a recognised payment system

“Payment Service Provider (PSP)’’ means an entity that provides services

money, credit cards, debit cards; remittances and other services

“Wire transfer” means any transaction carried out on behalf of an

EDD Enhanced Due Diligence

FIU Financial Intelligent Unit

NRA National Risk Assessment

PSPs Payment System Provider

STR Suspicious Transaction/Activity Report

1.1 Money laundering and terrorism financing (ML/TF) risk management

2.1 Zimbabwe underwent a comprehensive review of its AML/CFT regime.

Compliance with Anti-Money Laundering Laws

3.2 Subsequently, the RBA is considered by regulatory bodies as an important

3.8 A reporting entity should be able to demonstrate to a supervisory authority

4. OBJECTIVE OF THE GUIDELINE

4.2.4 Creating an enabling environment for effective collaboration and

5. SCOPE AND APPLICATION OF THE GUIDELINE

emerging developments as they relate to AML/CFT and update their

6. BENEFITS AND RATIONALE FOR RBA

7. ENFORCEABILITY OF THIS GUIDELINE

or its controllers or officers for breaching any written law, including

8. RISK CATEGORIES AND DEFINITIONS

9. IDENTIFYING AND UNDERSTANDING ML/TF RISKS

geographical areas and products, services, transactions or delivery

10. COMPONENTS OF THE RBA

10.3 Therefore, FATF Recommendation 1 can be considered as the groundwork

Figure: RBA –Risk factors

Risk-Based Approach vs Risk Appetite:

11. GENERAL GUIDANCE ON AML/CFT

i. Placement: refers to the placing of proceeds of crime into the

11.3.1 Knowingly assisting (in a number of specified ways) in concealing, or

Figure: RBA –Risk factors

Wolfsberg principles, EU Directives and BSA/AML Risk assessment

12. AML/CFT REQUIREMENTS FOR PSPs/FIs

13. AML/CFT GOVERNANCE FRAMEWORK

14. AML/CFT RISK MANAGEMENT

contribute to financial exclusion and drive financial transactions

15. KNOWING YOUR CUSTOMER (KYC) AND CUSTOMER DUE

15.2 The risk assessment framework should identify which customers or

16. CUSTOMER ACCEPTANCE POLICY

17. TECHNOLOGICAL DEVELOPMENTS

18. TRANSACTION MONITORING

18.10The parameters and thresholds used to generate alerts of unusual

19. IDENTIFICATION OF DESIGNATED ENTITIES AND PERSONS

19.2.1 A person or entity named on the United Nations or consolidated lists

19.6.1 The information sources used by the financial institution for

20. KNOWING YOUR EMPLOYEE (KYE)

20.3 Consequently, PSP or financial institutions should undertake due diligence

20.4.3 Verifying Employment History; and,

21. CORE OBLIGATIONS OF REPORTING ENTITIES

respect of all customers, business relationships and transactions (s12B

approaches to CDD and ongoing monitoring of customers according to

Institutional Risk Assessment

Internal Controls, Policies and Procedures

processing business transactions understand and comply with all