A deep-dive regulatory analysis of Statutory Instrument 99 of 2026
Money Laundering and Proceeds of Crime (Virtual Asset Service Providers Registration) Regulations, 2026
Statutory Instrument 99 of 2026 (S.I. 99 of 2026) represents a watershed moment in Zimbabwe’s financial regulatory history. Officially published as the Money Laundering and Proceeds of Crime (Virtual Asset Service Providers Registration) Regulations, 2026, this statutory instrument legalizes, formalizes, and tightly monitors the virtual asset ecosystem within the country.
By operationalizing the amendments introduced to the principal Act (Money Laundering and Proceeds of Crime Act [Chapter 9:24]), S.I. 99 of 2026 transitions virtual assets out of a gray-market status characterized by regulatory silence and central bank warnings into a strictly governed framework managed by the Financial Intelligence Unit (FIU) of the Reserve Bank of Zimbabwe (RBZ).
This analysis provides a comprehensive review of S.I. 99 of 2026. It explores:
- The intended targets of the legislation.
- Practical operational requirements for businesses.
- Compliance bottlenecks and risk matrices.
- The broader impacts of the regulations on the Zimbabwean economy, financial inclusion, technology ecosystems, and monetary policy.
Who is S.I. 99 of 2026 Intended For?
To understand the boundaries of S.I. 99 of 2026, we must unpack its definition of a Virtual Asset Service Provider (VASP) and “services relating to virtual assets.” The legislation establishes an expansive regulatory net designed to capture any commercial enterprise exercising control or providing infrastructure within the digital asset lifecycle.
1.1 The Statutory Definition of a VASP
Under Section 2(1), a VASP is defined as any person (legal entity) providing “services relating to virtual assets.” Section 2 further expands this by stating that a person is deemed to be providing such services where they:
“…as a business or for commercial benefit, exercises control over, or provides the essential means for, the operation of a software protocol, smart contract, decentralised application, or similar technological arrangement…”
This is a highly modern, technologically neutral definition. It targets not only traditional corporate service providers but also individuals or groups managing decentralized systems if they exercise “control.”
1.2 Defining “Control” in the Era of DeFi
In a bold regulatory move, the S.I. attempts to solve the “DeFi Loophole” (the claim that decentralized protocols have no central operator to regulate). Under Section 2(2), “control” is defined as the direct or indirect ability to:
- Modify Operational Logic: Initiate, modify, or upgrade the protocol’s core code.
- Asset Allocation: Withdraw or reallocate substantial assets held in smart contracts or protocols.
- Determine Economic Parameters: Set or materially alter transaction fees, rewards, or staking yields.
- Govern Decisions: Shape the governance framework or vote-direction of the protocol.
- Market Services: Commercially promote or represent oneself as the operator of the system.
1.3 Specific Business Types Targeted by S.I. 99 of 2026
Based on these definitions, the following businesses must seek immediate registration with the FIU:
┌──────────────────────────────────────────────────────────────────────────────────┐
│ VASP REGULATORY SPECTRUM │
├─────────────────────────┬──────────────────────────────┬─────────────────────────┤
│ CeFi / Custodial │ DeFi / Protocols │ OTC & Enablers │
├─────────────────────────┼──────────────────────────────┼─────────────────────────┤
│ • Centralized Exchanges │ • Smart Contract Admins │ • Over-The-Counter Desk │
│ • Custodial Wallet Devs │ • Multi-Sig Keyholders │ • Peer-to-Peer Escrows │
│ • Brokerages │ • DApp Operators │ • Crypto-Fiat Gateways │
│ • Asset Managers │ • Token Issuers (Launchpads) │ • Crypto ATMs │
└─────────────────────────┴──────────────────────────────┴─────────────────────────┘
- Centralized Virtual Asset Exchanges (CEXs): Businesses operating platforms matching buyers and sellers of digital assets (e.g., Bitcoin, Ethereum, stablecoins) for fiat currency or other virtual assets.
- Decentralized Finance (DeFi) Developers and Operators: Teams, foundations, or companies holding administrative keys (admin keys), managing multi-signature wallets, or governing smart contracts that facilitate token swaps, lending, or borrowing.
- Custodial Wallet Providers: Entities that store, safeguard, or administer private cryptographic keys enabling control over virtual assets on behalf of clients.
- Over-The-Counter (OTC) Trading Desks and Peer-to-Peer (P2P) Escrow Services: Commercial operators executing large block trades or providing platform-mediated trust networks for currency exchanges.
- Initial Coin Offering (ICO) and Token Issuance Platforms: Platforms that assist in the launch, marketing, or distribution of new tokens, utility coins, or security tokens.
- Virtual Asset Asset Managers and Investment Funds: Arbitrageurs, digital asset treasury managers, or yield-generating funds handling public capital.
What Businesses Need to Know
The Compliance & Operational Blueprint
For any VASP wishing to operate legally in or from Zimbabwe, S.I. 99 of 2026 establishes an intensive, multi-phase compliance regime. The standard of entry is exceptionally high, mirroring the regulatory rigorousness of traditional commercial banking.
2.1 The Registration Process: step-by-Step
Registration is a mandatory first step before commencing operations.
┌─────────────────────────────────────────────────────────────────────────────────────┐
│ REGISTRATION PIPELINE │
├────────────────────────┬─────────────────────────┬──────────────────────────────────┤
│ 1. Pre-Requisites │ 2. Submission Package │ 3. FIU Evaluation │
├────────────────────────┼─────────────────────────┼──────────────────────────────────┤
│ • Local Incorporation │ • Form VASPR │ • Complete review within 90 days │
│ • 2 resident directors │ • $500 Issuance Fee │ • Fit & Proper check (Part C) │
│ • Local Office setup │ • Risk Policies & Audit │ • Registration Certificate (1yr) │
└────────────────────────┴─────────────────────────┴──────────────────────────────────┘
- Step 1: Local Presence Establishment: Under Section 4(3), the VASP must be incorporated or registered as a legal entity in Zimbabwe. Multinational groups cannot operate via cross-border solicitation; they must establish a local subsidiary. The VASP must have a physical office (Section 12) and at least two directors who are resident in Zimbabwe (Section 10(1)(c)).
- Step 2: Documentation Gathering: The applicant must compile a exhaustive dossier, which includes:
- Certified organizational documents (incorporation certificate, articles).
- Proof of physical business premises.
- Police clearances for all beneficial owners, directors, and principal officers (less than 6 months old).
- Detailed architectural blueprints of the underlying technology, service delivery pathways, and specific virtual assets to be supported.
- A written entity-specific risk assessment report on money laundering, terrorist financing, and proliferation financing (ML/TF/PF).
- Comprehensive cybersecurity safeguards and data protection policies.
- Step 3: Application Submission: Submit the VASPR Form (First Schedule) to the designated FIU channel.
- Step 4: Fee Settlement: The fee structure (Second Schedule) is structured as:
- Application Fee: None.
- Registration Issuance Fee: USD $500.00.
- Annual Registration Renewal Fee: USD $400.00.
2.2 The “Fit and Proper” Standard (Section 11)
The FIU exercises severe vetting of all major stakeholders (beneficial owners with $\ge 10\%$ equity, directors, and principal officers) through Part C of the VASPR Form. The criteria include evaluating:
- Personal financial standing, insolvency records, and bankruptcy histories.
- Relevant academic qualifications and operational experience in fintech or financial markets.
- Criminal records (specifically targeting fraud, dishonesty, money laundering, and economic crimes).
- Previous regulatory sanctions or license revocations globally.
- Active business engagements that present unmanageable conflicts of interest.
2.3 The “Travel Rule” (Part V)
Perhaps the most technically complex aspect of S.I. 99 of 2026 is the codification of the Travel Rule (Section 17-20). Aligning with FATF Recommendation 15, this rule mandates the real-time collection, retention, and transfer of counterparty data during transactions.
For the Ordering VASP (Section 18):
Before executing any transaction, the initiating VASP must obtain, verify, and securely transmit:
- Originator Details: Legal name, wallet address, physical address (or national ID/passport number), and date/place of birth.
- Beneficiary Details: Legal name, wallet address, and country/city of residence.
For the Beneficiary VASP (Section 19):
The receiving VASP must cross-reference inbound metadata against its own customer records, verify its client’s identity, and have systems to block or isolate transactions lacking complete sender profiles.
Unhosted (Self-Custody) Wallet Transfers (Section 20):
If a transaction involves a self-custody wallet (e.g., Metamask, Ledger, Trust Wallet), the VASP must:
- Obtain beneficiary information from its own client.
- For transactions exceeding USD $1,000.00, perform a mandatory Wallet Ownership Proof (such as a cryptographic signature verification or a “Satoshi Test” sending a micro-transaction to verify control).
- Maintain enhanced transaction monitoring to check for signs of sanctions evasion or structuring.
THE TRAVEL RULE COMPLIANCE FLOW
[ Ordering VASP ] ───────────────────────────────► [ Beneficiary VASP ]
(Verifies KYC) Transmits secure metadata: (Verifies Beneficiary)
- Names, Wallet Addresses,
- ID Numbers & Residence
│
▼
[ Target: Unhosted Wallet ]
(Requires Wallet Proof if
transaction > $1,000)
2.4 Ongoing Compliance, Audits, and Record Keeping (Section 21)
The operational obligations do not end with registration. Registrants must implement a continuous oversight model:
- Threshold Customer Due Diligence (CDD): Mandatory full KYC verification for any transaction—single or linked—valued at USD $1,000.00 or more (or its equivalent).
- The Resident Compliance Officer: VASPs must hire a dedicated money laundering compliance officer who is resident in Zimbabwe, with the organizational authority to act independently.
- Audit and Log Retention: All verification data, transaction history logs, and system audits must be preserved for at least five years following the termination of the business relationship.
- Suspicious Transaction Reports (STRs): Real-time reporting of transaction anomalies to the FIU without “tipping off” the client.
2.5 The Penalties for Non-Compliance
The S.I. outlines severe fines and administrative actions to enforce compliance:
- Unregistered Operations (Section 4(8) & Section 8): Operating without registration, presenting false representations, or submitting forged documentation is a criminal offense, carrying a fine of up to USD $10,000.00 and a six-month ban from reapplying.
- General Violations of Section 10 Obligations (Section 10(2)): Failing to maintain fit and proper principal officers, failing to keep two resident directors, or failing to appoint a local compliance officer risks a fine of up to USD $50,000.00.
- Failure to Notify Material Changes (Section 13(4)): Failing to notify the FIU within 48 hours of any material change in ownership, control, or software protocol logic carries a fine of up to USD $50,000.00.
- Late Renewal Filings (Section 9(3)): Applying for renewal after the expiry of the annual certificate results in a Level 6 fine scale penalty.
Macroeconomic Impacts of S.I. 99 on Zimbabwe
Statutory Instrument 99 of 2026 does not exist in a policy vacuum. It is a strategic tool designed to balance the risks of digital asset adoption with the structural realities of the Zimbabwean economy.
┌──────────────────────────────────────────────────────────────────────────────────┐
│ MACROECONOMIC BALANCING │
├────────────────────────────────────────┬─────────────────────────────────────────┤
│ Economic Drivers │ Risk Mitigants │
├────────────────────────────────────────┼─────────────────────────────────────────┤
│ • Institutional Capital Inflows │ • Curtailing Capital Flight │
│ • Secure, Lower-Cost Remittances │ • Tax Base Preservation │
│ • Domestic Technological Innovation │ • Mitigating AML/CFT Sanction Threats │
└────────────────────────────────────────┴─────────────────────────────────────────┘
3.1 Financial Inclusion vs. Shadow Banking Mitigation
Zimbabwe has a highly informalized economy. Faced with high banking charges, cash shortages, and previous currency shifts, many citizens turned to peer-to-peer crypto networks. While these digital assets offered financial access, they functioned as an unregulated shadow banking sector.
S.I. 99 of 2026 seeks to bring this economic activity into the formal financial sector. By licensing VASPs and requiring them to operate through local banking relationships, the state converts unregulated, invisible asset flows into visible, taxable, and bankable economic data.
For the average citizen, this reduces the risk of falling victim to exit scams, fraudulent investment platforms, and predatory trading desks, thereby increasing trust in digital ecosystems.
3.2 Curbing Capital Flight and Stabilizing Exchange Rates
A key driver for the central bank is managing foreign exchange liquidity. Historically, digital assets have been used in developing nations as a vehicle for capital flight, allowing individuals and businesses to bypass domestic exchange controls by trading local currency for borderless assets like USDT or Bitcoin.
The stringent requirements of Part V (the Travel Rule) and the prohibition on anonymity-enhancing protocols (Section 6(1)(d)) are designed to close these exit pathways. Under Section 6, the FIU will reject any applicant who cannot demonstrate an ability to block or control anonymity-enhancing tools (such as privacy coins like Monero, or coin-mixing tools like Tornado Cash).
By establishing a clear window into who is buying digital assets and where those assets are being transferred, the state aims to mitigate speculative pressure on exchange rates.
3.3 Tax Base Expansion and Government Revenue
The formalization of the VASP industry introduces a new source of state revenue:
- Corporate Taxes: Registered VASPs operate as formal local businesses subject to standard corporate tax regimes.
- Transaction Levies: With transactions captured on centralized exchanges, the government can integrate digital assets into existing financial transaction tax frameworks (such as the Intermediated Money Transfer Tax – IMTT).
- Direct Administrative Fees: All registration, verification, and copy fees (Section 23(3)) accrue to the funds of the Reserve Bank of Zimbabwe, supporting regulatory operations.
3.4 De-risking Zimbabwe in Global Financial Markets
For years, Zimbabwe has worked to strengthen its standing with the Financial Action Task Force (FATF) and move away from graylisting concerns. Unregulated cryptocurrency transactions were a noted strategic vulnerability.
By implementing S.I. 99 of 2026, Zimbabwe aligns its regulatory framework with FATF’s Recommendation 15 on Virtual Assets. This compliance reassures international correspondent banks, reduces the perceived country risk, and helps preserve critical cross-border payment rails.
Microeconomic and Sector-Specific Impacts
The introduction of S.I. 99 of 2026 alters the operational landscape for several domestic sectors.
4.1 Traditional Banking and Financial Institutions
Historically, Zimbabwean banks were hesitant to interact with digital assets, often blocking transfers to known cryptocurrency exchanges due to regulatory uncertainty. S.I. 99 of 2026 provides the clear legal framework banks have waited for.
FINANCIAL INTEROPERABILITY
┌─────────────────┐ Fiat Channels ┌────────────────┐
│ Traditional │◄────────────────────────►│ Registered │
│ Banking Rail │ (Cleared, Compliant │ VASP Platform │
│ (Settlement/FX) │ Settlements) │ (Custody/TX) │
└─────────────────┘ └────────────────┘
Licensed VASPs can now establish compliant corporate banking relationships. This enables seamless fiat-to-crypto gateways (deposits and withdrawals) and allows banks to offer custodial services or diversify their own offerings. This development signals a move toward a more integrated financial services market.
4.2 Fintech Startups and Local Innovation Hubs
The S.I. presents a mixed outlook for local fintech entrepreneurs:
- The Positive: The regulations provide legal clarity. Startups no longer have to operate in fear of sudden regulatory shutdowns. They can secure venture capital, partner with regional networks, and build products on solid legal ground.
- The Challenge: The cost of compliance is high. The requirement for a resident compliance officer, two local directors, yearly independent system audits, and advanced Travel Rule messaging software (like IVMS 101-compliant APIs) requires significant capital. This could create a barrier to entry that favors well-capitalized foreign players or established local financial institutions over early-stage startups.
4.3 The Remittance Corridor
Remittances are a major source of foreign currency for Zimbabwe, with millions of dollars sent home annually by the global diaspora. Historically, traditional money transfer operators (MTOs) charged high fees for these transfers.
VASPs utilizing blockchain technology can theoretically offer near-instant cross-border transfers at a fraction of the cost. S.I. 99 of 2026 creates a clear regulatory pathway for these low-cost remittance channels, provided they can comply with the Travel Rule across jurisdictions. This has the potential to lower overall remittance costs and increase the net capital entering Zimbabwean households.
SWOT Analysis of S.I. 99 of 2026
To synthesize the regulatory, operational, and economic impacts of this statutory instrument, we can construct a detailed SWOT matrix:
┌──────────────────────────────────────────────────────────────────────────────────────┐
│ SWOT ANALYSIS │
├──────────────────────────────────────────────────────────────────────────────────────┤
│ STRENGTHS │ WEAKNESSES │
│ • Clear, modern, and legally defined rules │ • High compliance costs for local │
│ for the virtual asset industry. │ fintech startups. │
│ • Strong alignment with global FATF standards│ • Complex technical requirements │
│ (Recommendation 15). │ (e.g., Travel Rule for unhosted │
│ • Enhances consumer protection against │ wallets). │
│ scams and systemic failures. │ • Potential to push peer-to-peer (P2P) │
│ • Standardizes and secures fiat gateways. │ trading further underground. │
├────────────────────────────────────────────┼─────────────────────────────────────────┤
│ OPPORTUNITIES │ THREATS │
│ • Attracts institutional fintech capital │ • Potential regulatory arbitrage from │
│ and foreign direct investment (FDI). │ unregistered offshore VASPs. │
│ • Lowers cross-border remittance costs. │ • Rapid pace of technology may outrun │
│ • Bridges DeFi innovations with │ existing enforcement capabilities. │
│ traditional commercial banking. │ • Severe penalties could discourage │
│ • Helps integrate digital assets into the │ compliant, early-stage local │
│ national tax base. │ innovation. │
└────────────────────────────────────────────┴─────────────────────────────────────────┘
5.1 Strengths Explored
- Legal Certainty: The statutory instrument removes the existential threat under which local crypto operators previously worked.
- Consumer Safeguards: Displaying the registration certificate alongside a verified QR code linked directly to the FIU registry (Section 7(5)) protects consumers from fraudulent platforms.
- Vetted Leadership: Vetting through fit and proper declarations reduces the risk of bad actors managing client funds.
5.2 Weaknesses Explored
- The Burden of the Travel Rule: The requirement to exchange originator and beneficiary data during every transaction is technologically difficult to execute across different public blockchains. Startups may struggle with the cost of integrating Travel Rule protocols.
- The DeFi Challenge: While the S.I. defines “control” broadly, enforcing these regulations on truly decentralized, borderless networks with anonymous developers remains a major operational challenge for the FIU.
5.3 Opportunities Explored
- Zimbabwe as a Fintech Hub: By establishing a clear, progressive, yet secure regulatory framework, Zimbabwe can position itself as a attractive destination for regional fintech and digital asset development.
- Diaspora Integration: Compliant, blockchain-backed remittance corridors can bypass expensive intermediary banks, directly benefiting the local economy.
5.4 Threats Explored
- Regulatory Arbitrage: If local regulations are perceived as overly restrictive, users may turn to unregistered offshore VASPs. These offshore operators are difficult to police, which could undermine local, compliant platforms and reduce the domestic tax base.
- Enforcement Capacity: The FIU and local regulatory bodies will need to invest in blockchain analytics tools and specialized training to monitor transaction flows and ensure compliance.
Part 6: Strategic Recommendations for Businesses
For organizations navigating this new regulatory environment, compliance requires a proactive approach.
┌──────────────────────────────────────────────────────────────────────────────────┐
│ VASP STRATEGIC CHECKLIST │
├──────────────────────────────────────────────────────────────────────────────────┤
│ 1. Restructure corporate governance to ensure 2 resident directors. │
│ 2. Implement an automated Travel Rule solution (IVMS 101 compatible). │
│ 3. Develop a rigorous, localized ML/TF/PF risk assessment framework. │
│ 4. Establish reliable local banking partnerships for transparent fiat flows. │
└──────────────────────────────────────────────────────────────────────────────────┘
- Immediate Governance Restructuring:
Ensure your corporate structure meets the requirement of at least two resident directors and a dedicated, local compliance officer.
- Upgrade Technological Infrastructure:
Integrate automated Travel Rule compliance software that supports the standard IVMS 101 data model. Manual compliance is not scalable under these rules.
- Establish Robust Banking Partnerships:
Begin discussions with local commercial banks early. Presenting your registration application alongside a comprehensive AML/CFT program will help secure essential banking services.
- Develop a Comprehensive Risk Assessment:
Your risk assessment framework must be specific to your business model. Avoid generic templates; the FIU evaluates applications based on how well the policies match the actual technology and operational flows used.
- Implement Strong Cyber Defense Protocols:
Under Section 4(2)(o), you must demonstrate active cybersecurity protections. Regular third-party security audits and clear data protection policies are key to a successful application.
Conclusion
Statutory Instrument 99 of 2026 brings needed structure and clarity to Zimbabwe’s virtual asset sector. It establishes a clear, formal framework that balances the need for security and compliance with the opportunities of digital asset innovation.
While the compliance standards are high, they provide the necessary foundation for a mature, secure, and integrated digital economy. For businesses, navigating these rules successfully is key to unlocking the potential of fintech in Zimbabwe.
