← Go back home
Compliance Intelligence Report · 2026

FIC Act Compliance
Covered by InTouch

A comprehensive guide to South Africa's Financial Intelligence Centre Act (FIC Act), its specific requirements for identity verification, KYC, AML, and bank account verification — and how InTouch's platform addresses every obligation for accountable institutions.

Report Type
FIC Act Compliance Guide
Jurisdiction
South Africa · For Accountable Institutions
Last Updated
May 2026

Contents

01What is the FIC Act?02Who Must Comply — Accountable Institutions03Core Obligations & Reporting04Identity Verification Requirements (Deep Dive)05KYC — Know Your Customer (Deep Dive)06AML — Anti-Money Laundering (Deep Dive)07Bank Account Verification (Deep Dive)08How InTouch Covers Every Requirement09The InTouch Platform — Feature by Feature10Complete FIC Act Compliance Mapping11The Business Case for InTouch
01 · Overview

What is the FIC Act?

The Financial Intelligence Centre Act (Act 38 of 2001), commonly known as the FIC Act or FICA, is South Africa's primary legislative framework for combating money laundering, terrorist financing, and related financial crimes.

The Act establishes the Financial Intelligence Centre (FIC) — South Africa's financial intelligence unit — tasked with collecting, analysing, and disseminating financial intelligence to support law enforcement, regulatory bodies, and the South African Revenue Service. The FIC Act was enacted in 2003 and underwent major amendments in 2017 and again in December 2022, each time broadening the scope of obligations and tightening compliance standards to align with Financial Action Task Force (FATF) recommendations.

In February 2023, South Africa was placed on the FATF "greylist" due to deficiencies in its anti-money laundering measures. This has dramatically elevated the regulatory pressure on all accountable institutions to demonstrate airtight compliance — a burden that can only be effectively managed through reliable, automated systems.

⚠ Penalties for Non-Compliance

Failure to comply with FIC Act obligations can result in administrative fines of up to R100 million, reputational damage, regulatory sanctions, and in serious cases, criminal prosecution and imprisonment.

R100M
Maximum administrative fine for non-compliance
5 yrs
Mandatory record retention period post-relationship
90
Days to register with FIC after commencing business
02 · Scope

Who Must Comply — Accountable Institutions

The FIC Act applies to a broad range of entities designated as "Accountable Institutions." Registration with the FIC is mandatory and must be completed via the goAML system within 90 days of commencing business.

Financial Services & Banking

Banks, credit unions, insurers, investment firms, payment service providers, cryptocurrency exchanges

Legal & Professional Services

Attorneys, advocates, accountants, auditors, and trust company practitioners

Property & Real Estate

Estate agents, property developers, and companies managing high-value property transactions

High-Value Goods Dealers

Auctioneers, dealers in precious metals/stones, and luxury goods merchants

Money Services & Forex

Forex dealers, money transfer operators, and remittance service providers

Other Regulated Entities

FSPs, financial advisors, loan providers, and any entity facilitating financial transactions

03 · Obligations

Core Obligations & Reporting Requirements

Every accountable institution must implement a comprehensive AML/CFT compliance programme covering registration, customer due diligence, risk management, transaction monitoring, reporting, internal governance, and record keeping.

Mandatory Reporting to the FIC (via goAML)

Report TypeTriggerThreshold
Cash Threshold Report (CTR)Cash transaction received or paidAbove R49,999.99 — Must be filed within 3 days
Suspicious Transaction Report (STR)Any suspicious or unusual activityNo threshold — all suspicious transactions
Terrorist Property Report (TPR)Transaction involving a UN sanctions-listed partyAny value
International Funds Transfer Report (IFTR)Cross-border electronic funds transfersAbove R19,999.99
Cash Conveyance Report (CCR)Cash physically crossing SA bordersAbove prescribed threshold

Internal Governance Requirements

Compliance Officer (MLRO)

Appoint a designated Money Laundering Reporting Officer responsible for overseeing compliance programme implementation and FIC reporting.

Internal Rules & Policies

Formulate documented procedures for client identification, verification, record management, and transaction monitoring.

Staff Training

Regular training for all relevant employees to recognise suspicious activity and understand their reporting obligations.

Record Keeping

Retain all KYC records, transaction records, and verification documentation for at least 5 years after the business relationship ends.

04 · Deep Dive

Identity Verification Requirements

Section 21 and Regulations 3–6 of the FIC Act set out explicit requirements for establishing and verifying the identity of both natural persons and legal entities before establishing a business relationship or concluding a transaction.

Natural Persons — What Must Be Collected & Verified

FIC Act Requirement
  • Full name (first name, initials, and surname)
  • Date of birth
  • South African ID number (or passport number for foreign nationals)
  • Residential address (established and verified)
  • Contact information
  • Photograph-bearing identity document
  • POPIA-compliant consent before collection
✓ How It Is Verified
  • SA Smart ID Card or green barcoded ID book
  • Verified against Department of Home Affairs (DHA/HANIS) database in real time
  • Passport accepted for foreign nationals (issued by country of citizenship)
  • Utility bill, bank statement, or lease agreement for address (≤3 months recommended)
  • Biometric liveness detection + facial match to ID document photo
  • Digital consent captured before verification commences

Legal Entities (Companies, CCs, Trusts, Partnerships)

Entity TypeKey Documents RequiredRelated Parties to Verify
SA Company / CCCIPC registration certificate, Memorandum of Incorporation, registered addressDirectors, authorised signatories, UBOs (≥5% shareholders)
Trust (Inter Vivos)Trust Deed, Letter of Authority from the Master of the High CourtFounder, trustees, beneficiaries (or class of beneficiaries)
Trust (Testamentary)Will, Letter of ExecutorshipExecutor, trustees, beneficiaries
PartnershipPartnership agreementAll partners (jointly and severally liable)
Foreign CompanyForeign registration documents, translated and certifiedDirectors, authorised persons, beneficial owners
📌 Digital / Remote Verification

The FIC Act expressly permits remote (digital) identity verification as a valid alternative to in-person verification, provided the process includes document authentication via AI/OCR, real-time DHA database lookup, and biometric liveness verification. Simply receiving an uploaded ID image without running authenticity checks does not satisfy FICA requirements.

05 · Deep Dive

KYC — Know Your Customer

KYC under the FIC Act is not a one-time event — it is an ongoing, risk-calibrated process governed by Sections 21, 21A, 21B, and 21C. Institutions must identify, verify, risk-score, and continuously monitor every customer relationship.

The Six-Step KYC Process

1
Collect Identity InformationGather required documentation before establishing the business relationship. No business relationship may commence until CDD is complete (or in progress for lower-risk relationships).
2
Verify Using Independent SourcesCross-check all collected information against government databases (DHA), CIPC, and other trusted third-party data sources to confirm authenticity.
3
Risk Profile AssessmentAssess the customer's risk level across defined categories — customer type, geographic risk, industry, transaction volume, and PEP/sanctions status — to determine CDD, SDD, or EDD treatment.
4
Enhanced Due Diligence (EDD) for High-Risk ClientsFor politically exposed persons, foreign nationals, high-value transactions, or opaque ownership structures, additional verification, source-of-funds documentation, and senior management sign-off are required.
5
Beneficial Ownership Identification (Section 21B)Identify and verify any natural person holding 5% or more of a legal entity. Where no single majority holder exists, identify the controlling senior officer (CEO, CFO, COO). All related parties — directors, signatories, authorised representatives — must also be FICA'd.
6
Ongoing Monitoring (Section 21C)Continuously monitor customer transactions throughout the relationship. Periodically refresh KYC information to ensure it remains current. Flag any activity inconsistent with the customer's established profile for STR submission.

Due Diligence Tiers

Simplified Due Diligence (SDD)

Applied for demonstrably low-risk customers where specific FICA exemptions apply. Reduced documentation requirements but not zero verification.

Standard CDD

Baseline requirement for all customers. Full identity verification, address confirmation, risk assessment, and beneficial ownership determination.

Enhanced Due Diligence (EDD)

Mandatory for high-risk customers including PEPs, FPEPs, PIPs, foreign nationals, shell companies, and those from high-risk jurisdictions. Includes source-of-funds documentation and enhanced monitoring.

06 · Deep Dive

AML — Anti-Money Laundering Requirements

The FIC Act implements the full FATF 40 Recommendations framework. AML obligations extend beyond onboarding to encompass an institution-wide risk-based approach, ongoing transaction monitoring, and multi-layered screening.

Risk-Based Approach

Institutions must conduct a Business Risk Assessment (BRA) at an organisational level, evaluating their inherent exposure to money laundering and terrorist financing risk across all products, services, customers, and geographies. This assessment must be documented, reviewed regularly, and used to calibrate the intensity of CDD controls applied at client level.

Screening Requirements

What Must Be Screened
  • UN Targeted Financial Sanctions Lists (mandatory)
  • Domestic Politically Exposed Persons (DPEP)
  • Foreign Politically Exposed Persons (FPEP)
  • Prominent Influential Persons (PIP)
  • OFAC / EU / HMT / other international sanctions lists
  • Adverse media (global news sources)
  • Crime and watchlists (Crimelist screening)
✓ When Screening Applies
  • At onboarding — before establishing any business relationship
  • On an ongoing basis throughout the relationship
  • When processing transactions above prescribed thresholds
  • When a customer's circumstances materially change
  • When STR indicators are observed
  • Periodic refresh at intervals determined by risk rating

Transaction Monitoring

Institutions must monitor customer transactions on an ongoing basis to detect activity that is inconsistent with the customer's established profile, business type, or historical patterns. Suspicious activity must be reported to the FIC via an STR within a reasonable period of detection — there is no threshold for STR reporting.

Key AML Programme Components

Written AML Policies — Documented procedures approved at board/senior management level.
Designated MLRO — A compliance officer accountable for AML reporting and oversight.
Staff Training — Regular, documented training covering red flags, typologies, and reporting duties.
Independent Audit — Periodic internal or external testing of AML programme effectiveness.
Audit Trail — Every screening result, risk decision, and verification event must be logged with timestamps and accessible to regulators on demand.

07 · Deep Dive

Bank Account Verification

While the FIC Act does not contain a standalone "bank account verification" provision, bank account verification is a critical practical component of FICA compliance — linking a verified identity to actual financial activity.

Why Bank Account Verification Matters for FICA Compliance

Identity-to-Account Linkage

Confirming that the bank account presented belongs to the verified individual or entity prevents third-party and money mule account use — a primary AML red flag under the FIC Act.

Proof of Address Dual Purpose

Bank statements are explicitly accepted under FICA Regulations as a valid proof-of-address document and simultaneously evidence financial activity patterns relevant to ongoing monitoring.

Source of Funds (EDD)

For high-risk clients requiring Enhanced Due Diligence, bank account verification supports Source of Funds (SoF) and Source of Wealth (SoW) documentation requirements under the risk-based approach.

Fraud & Payment Risk Mitigation

Verifying account validity and ownership reduces payment fraud, prevents disbursements to unverified third parties, and protects both institution and client from financial loss.

What a Valid Bank Account Verification Must Confirm

1
Account exists and is activeThe account number is valid and currently operational at the named South African bank.
2
Account holder identity matchesThe name on the account matches the identity document presented and verified during the KYC process.
3
Account type confirmationCheque, savings, or business account — relevant for risk assessment and transaction profiling purposes.
4
Branch / sort code confirmationVerifies the institution details are accurate and consistent with the institution claiming to hold the account.
08 · InTouch Platform

How InTouch Covers Every Requirement

InTouch's compliance platform — accessible at portal.intouch.io — is purpose-built to help South African accountable institutions meet every dimension of their FIC Act obligations. From consent collection through to audit-trail export, every step is handled in a single, unified platform.

09 · Features

The InTouch Platform — Feature by Feature

InTouch is a RegTech platform offering 15+ verification automation types, sub-3-second average response times, and a fully audit-trailed environment designed around FICA, POPIA, and FATF standards.

1. Consent Service — POPIA-Compliant Collection

Before any verification can begin, the FIC Act (read alongside POPIA Section 11) requires informed, documented consent from the individual. InTouch's Consent Service resolves this entirely:

Consent Request Delivery

Send consent requests via any preferred channel. Customers review and approve on a branded, secure page.

Tamper-Proof Audit Log

Every response is logged with a timestamp and full audit history. Holds up under regulatory scrutiny and POPIA compliance review.

Custom Consent Flows

Build any authentication or consent workflow. Supports biometric authentication consent as required for digital KYC onboarding.

2. Identity Verification — DHA-Linked, Real-Time

InTouch's identity verification automation directly addresses FICA Regulations 3–6, verifying full name, date of birth, ID number, and address against government and trusted data sources in real time:

FICA Requirement
  • Full name, date of birth, ID number
  • Verified against ID document
  • Residential address verified independently
  • Document authenticity confirmed
  • Biometric match to document
✓ InTouch Delivers
  • SA Smart ID, green ID book, or passport captured via device camera
  • AI-powered OCR extracts and validates document data
  • Real-time DHA/HANIS database lookup confirms authenticity
  • Biometric liveness detection + facial match prevents synthetic identity fraud
  • Address cross-referenced against trusted third-party data sources

3. KYC & Risk Rating — Automated, Weighted, Auditable

InTouch's Risk Rating engine operationalises the FIC Act's risk-based approach — scoring individuals and organisations across up to 10 weighted categories to determine the appropriate level of due diligence:

10-Category Risk Assessment

Customer type, AML/PEP screening results, interaction method, customer activities, source of wealth, geography, transaction size, and more — all weighted and automatically scored.

Risk Bands: Low to Ultra High

Clear risk thresholds map to SDD, standard CDD, or EDD treatment. High-risk clients are automatically flagged for human review before onboarding proceeds.

Ongoing Review Scheduling

Every risk rating includes a next-review date, ensuring Section 21C ongoing monitoring obligations are met and KYC information remains current.

Custom Risk Frameworks

Build risk rating models tailored to your institution's specific client base, products, and regulatory risk appetite. Every decision is fully auditable.

4. Full AML Screening — Sanctions, PEP, Watchlists & Adverse Media

InTouch delivers comprehensive AML screening covering every screening obligation under the FIC Act and FATF recommendations — for both individuals and organisations, in single or bulk mode:

FICA Screening Obligation
  • UN Targeted Financial Sanctions (mandatory)
  • DPEP / FPEP / PIP identification
  • International sanctions (OFAC, EU, HMT)
  • Adverse media screening
  • Crimelist / watchlist screening
  • Ongoing monitoring throughout relationship
✓ InTouch Screening Coverage
  • UN, OFAC, EU, HMT, and other global sanctions databases
  • PEP lists — domestic and international, updated continuously
  • Adverse media scan across billions of global news articles
  • Watchlist and crimelist cross-referencing
  • Single check in under 3 seconds
  • Bulk AML screening — thousands of records via single upload

5. Know Your Business (KYB) — CIPC & Beneficial Ownership

For legal entity clients, InTouch provides automated company and beneficial ownership verification aligned to Section 21B requirements:

CIPC Company Verification

Real-time company registration status, registered name, address, and directorship details from the Companies and Intellectual Property Commission.

Director & Signatory Verification

Individual identity verification (including DHA lookup and biometrics) for each director, authorised signatory, and related party of the entity.

6. Bank Account Verification — Instant, Automated

InTouch's bank account verification workflow directly addresses the FICA practical requirement of linking a verified identity to financial account ownership:

Account Validity & Ownership

Verify that the account exists, is active, and that the account holder's name matches the identity verified during KYC — closing the identity-to-account gap.

All Major SA Banks Supported

Checks are run against live banking infrastructure covering all major South African banks.

Source of Funds Support

Supports EDD source-of-funds documentation workflows for high-risk clients requiring enhanced account-level verification.

7. Audit Trail & Record Keeping — 5-Year Retention Ready

Every action in the InTouch platform is automatically logged with a complete, tamper-proof audit trail — satisfying the 5-year record retention obligations under FICA Sections 22–23 and providing the documentation required when regulators or auditors arrive.

✓ What the Audit Trail Captures

Every verification run (identity, AML, address, bank account), consent requests and approvals, risk rating decisions with reasons and review dates, all screening results including hits and clear results, bulk automation run details and per-record outcomes, and export timestamps for compliance reporting. Every record is exportable as a PDF Verification Report.

8. Bulk Automations — Entire Client Books at Scale

For existing client books requiring retrospective FICA remediation, or for high-volume onboarding pipelines, InTouch's bulk automation capability processes thousands of records from a single spreadsheet upload. Download the template, fill in client data, upload, and the system processes every row against live data sources — with per-record status tracking (successful, partial, flagged) and full exportable results.

10 · Compliance Mapping

Complete FIC Act Compliance Mapping

The table below maps every key FIC Act obligation to the specific InTouch feature that addresses it — giving your compliance officer a clear overview of coverage.

FIC Act RequirementFICA ReferenceInTouch FeatureStatus
POPIA consent before verificationPOPIA s.11 + FICAConsent Service — digital consent with audit logCovered
Identity verification (natural persons)Regs 3–6ID Verification — DHA/HANIS real-time lookupCovered
Document authenticity checkGuidance Note 3AAI OCR + document authentication checksCovered
Biometric liveness verificationFIC 2024 GuidanceBiometric face scan + liveness detectionCovered
Proof of address verificationRegs 3–6Address Validation automationCovered
Risk profile assessment (risk-based approach)s.21ARisk Rating — 10-category weighted scoringCovered
KYC / CDD for all customerss.21KYC Verification automationCovered
Enhanced Due Diligence (EDD)s.21AEDD flag + human review routing in Risk RatingCovered
Beneficial ownership identifications.21BKYB — CIPC verification + UBO captureCovered
Ongoing customer monitorings.21CPeriodic KYC refresh + review schedulingCovered
UN Sanctions screenings.28A (TPR)AML Screening — UN, OFAC, EU, HMT listsCovered
PEP / DPEP / FPEP / PIP identifications.21A + RegsPEP Check automation — domestic & internationalCovered
Adverse media screeningRisk-based approachAdverse Media Check — global news scanCovered
Watchlist / crimelist screeningRisk-based approachSanctions Check + AML Screening automationCovered
Bank account ownership verificationAML / fraud riskBank Account Verification automationCovered
KYB — company/entity verificationRegs 7–12CIPC company lookup + director verificationCovered
5-year record retentions.22–23Automated audit trail + PDF export per recordCovered
Bulk client book screening / remediationGeneral obligationBulk Automations — spreadsheet upload, batch processingCovered
📌 Note on Registration & Reporting

The obligation to register with the FIC via goAML, appoint a compliance officer (MLRO), submit regulatory reports (CTR, STR, IFTR, TPR), and conduct staff training are institutional governance obligations that fall outside the scope of a verification platform. InTouch covers all data verification, screening, and audit-trail requirements. Regulatory report submission to the FIC must be completed directly via the goAML portal.

11 · Why InTouch

The Business Case for InTouch

Speed — Under 3 Seconds

Verification results in under 3 seconds on average. No more waiting for manual responses, chasing results, or copying data between portals.

One Platform, Zero Fragmentation

AML, KYC, identity, address, bank account — all in a single environment. One login, one invoice, one audit trail. No more juggling multiple vendors.

Audit-Ready by Default

Every verification is automatically logged. When auditors arrive, there is no scrambling through spreadsheets or email threads — everything is exportable on demand.

Scales From 1 to 1,000,000

Single checks for individual onboarding, or bulk automations for entire client books. The same platform, the same compliance quality, at any scale.

POPIA Compliant by Design

Consent is collected, recorded, and timestamped before any personal information is processed. Built for South Africa's privacy law landscape from the ground up.

API-First Developer Integration

Full API access via the InTouch Developer Portal (developer.intouch.io) allows seamless integration into existing CRM, onboarding, and compliance systems.

Disclaimer

This document is intended as an informational guide only and does not constitute legal advice. The FIC Act and related regulations are subject to ongoing amendment by the Financial Intelligence Centre and National Treasury. Accountable institutions should consult with a qualified compliance officer or legal advisor to ensure their full compliance programme meets the specific requirements applicable to their institution and risk profile. For the most current regulatory guidance, refer to fic.gov.za.

Ready to make FICA compliance effortless?

Join South African accountable institutions already running faster, cleaner, and more defensible verification with InTouch.

Contact Our Information OfficerStart Free — 14-Day Trial →Book a Demo

No credit card required · Cancel anytime

InTouch 27 (Pty) Ltd
portal.intouch.io · intouch.io · developer.intouch.io
© 2026 InTouch 27. All Rights Reserved.
This document is for informational purposes only.