The Financial Intelligence Centre Act (FICA) is South Africa's primary anti-money laundering and counter-financing of terrorism legislation. For accountable institutions — from banks and insurers to estate agents and attorneys — FICA compliance is not optional. The Financial Intelligence Centre (FIC) has intensified its supervisory activities since South Africa's FATF greylisting, and non-compliance now carries substantial penalties. This guide explains what FICA requires in 2026 and how to manage your obligations effectively. Organisations managing FICA obligations alongside broader governance requirements can explore GRC software built for South Africa.
Who Is an Accountable Institution?
Schedule 1 of FICA lists the categories of businesses that must comply fully with AML/CFT obligations. These include:
- Financial institutions: Banks, insurers, investment managers, forex dealers, credit providers
- Designated Non-Financial Businesses and Professions (DNFBPs): Estate agents, attorneys handling client funds, accountants, trust service providers, high-value goods dealers
- Reporting institutions: Cash threshold reporting entities under Schedule 3
If your business falls under Schedule 1, you must implement a Risk Management Compliance Programme (RMCP), conduct ongoing Customer Due Diligence (CDD), keep records for at least five years, and report suspicious and unusual transactions to the FIC.
2023–2026 Supervisory Intensification
Following South Africa's greylisting by the FATF in February 2023, the FIC significantly increased supervisory actions. Administrative sanctions, compliance notices, and public disclosures of non-compliant institutions have all increased. Sustained compliance effort is now essential to avoid penalties and support South Africa's FATF re-evaluation progress.
The Risk-Based Approach in 2026
FICA requires a risk-based approach (RBA) — meaning your compliance effort must be proportionate to the money laundering and terrorist financing risk you face. The RBA does not mean doing less; it means doing the right things in the right places.
Your RMCP must document:
- Business risk assessment: Products, services, delivery channels, customer types, geographic exposure
- Customer risk rating methodology: How you classify customers as low, medium, or high risk
- Enhanced Due Diligence triggers: When standard CDD is not sufficient
- Simplified Due Diligence criteria: Specific circumstances where reduced measures are permitted
The FIC expects institutions to demonstrate that their risk assessment is living — reviewed at least annually and updated when new products, markets, or customer types are introduced.
Customer Due Diligence Requirements
CDD is the cornerstone of FICA compliance. It involves identifying and verifying customers, understanding the nature of the business relationship, and monitoring it on an ongoing basis.
| CDD Type | When Required | Key Requirements |
|---|---|---|
| Standard CDD | All new business relationships | Identity verification, beneficial ownership, nature of business |
| Enhanced CDD | Politically Exposed Persons, high-risk customers, complex structures | Source of funds, source of wealth, senior management approval |
| Simplified CDD | Low-risk products/customers approved by FIC | Reduced identity verification; ongoing monitoring still required |
| Ongoing Monitoring | Throughout the relationship | Transaction monitoring, periodic re-verification, PEP screening |
Beneficial Ownership Requirements
FICA requires identification of beneficial owners — natural persons who ultimately own or control a legal entity, typically those with 25% or more ownership or effective control. This must be documented, verified, and kept up to date. The CIPC's beneficial ownership register, operational from 2023, is a key verification source.
The 5 Most Common FICA Compliance Failures
Based on FIC inspection findings and administrative actions, these are the most frequently cited failures:
1. Inadequate or Outdated RMCP
Many institutions have an RMCP that was written once and never updated. The FIC expects the RMCP to reflect current products, customer types, and risk exposure. An outdated RMCP is often the first finding in any supervisory review.
2. Incomplete Beneficial Ownership Records
Identifying the natural person who ultimately controls a legal entity is complex but mandatory. Institutions frequently fail to go beyond the first layer of ownership or fail to update records when ownership changes.
3. PEP Screening Gaps
Politically Exposed Persons must be identified at onboarding and screened on an ongoing basis. Using manual processes or infrequent screening creates significant gaps — especially given the volume of PEPs in South Africa's public sector.
4. Inadequate Transaction Monitoring
Institutions must monitor for unusual or suspicious activity throughout the relationship. Rule-based systems that generate high false-positive rates often lead to alert fatigue, resulting in genuine suspicious activity being missed.
5. Weak Record-Keeping
FICA requires records to be kept for at least five years and to be retrievable on request. Paper-based or fragmented record-keeping systems frequently fail to meet this requirement.
Using Technology to Manage FICA Compliance
Manual FICA compliance processes are increasingly inadequate given the volume, complexity, and supervisory intensity of the current environment. Technology can:
- Automate CDD workflows: Identity verification, beneficial ownership mapping, document collection
- Enable real-time PEP and sanctions screening: Against global watchlists updated continuously
- Centralise your RMCP: With version control, approval workflows, and audit trails
- Flag and escalate suspicious activity: Automated alerts with investigation workflows
- Generate regulator-ready reports: STR/CTR submissions with complete documentation
For organisations that also manage broader governance, risk, and compliance (GRC) obligations, integrating FICA controls into an enterprise GRC platform creates a single source of truth across all regulatory requirements.
Summary
- All Schedule 1 accountable institutions must maintain a current, risk-based RMCP
- CDD requirements extend to beneficial ownership identification and ongoing monitoring
- Enhanced Due Diligence is mandatory for PEPs and high-risk customers
- The five most common failures are: outdated RMCP, incomplete BO records, PEP gaps, weak transaction monitoring, and poor record-keeping
- Technology significantly reduces the manual burden of FICA compliance
- FATF greylisting has intensified FIC supervisory activity — non-compliance risk is at an all-time high
Frequently Asked Questions
What is the penalty for FICA non-compliance in South Africa?
Administrative sanctions under FICA can include fines of up to R10 million per contravention, compliance notices, and public disclosure of sanctions. Criminal penalties for serious violations can include imprisonment. Since greylisting in 2023, the FIC has significantly increased the frequency and severity of sanctions.
How often must my RMCP be reviewed?
The FIC expects your RMCP to be reviewed at least annually. It must also be updated whenever there is a material change to your business — new products, new customer segments, new geographic exposure, or changes in the regulatory environment.
Does FICA apply to small businesses?
Yes. FICA obligations apply based on the type of activity, not the size of the business. A sole-proprietor attorney handling client funds, or a small estate agency, is subject to the same FICA requirements as a large bank. The risk-based approach allows proportionate implementation, but the obligation itself is the same.
What is the difference between an STR and a CTR under FICA?
A Suspicious Transaction Report (STR) must be filed when you have reason to believe a transaction may be linked to money laundering or terrorist financing, regardless of the amount. A Cash Threshold Report (CTR) must be filed for cash transactions above R24,999.99. Both must be submitted to the FIC within the required timeframes.
References
1. Financial Intelligence Centre Act 38 of 2001, as amended.
2. Financial Action Task Force (FATF). Mutual Evaluation Report: South Africa, 2021.
3. FATF. Follow-up Report: South Africa, 2025.
4. Financial Intelligence Centre. Guidance Note 7: Risk Management Compliance Programmes. 2022.
5. Financial Intelligence Centre. Directive 6: Beneficial Ownership. 2023.
6. Companies and Intellectual Property Commission. Beneficial Ownership Register. 2023.
