FICA Compliance for Financial Services

Complete compliance guide for banks, insurance companies, investment firms, and fintech. Understand your obligations as a Schedule 1 accountable institution, KYC requirements, AML procedures, and how to avoid penalties.

Automate Compliance Full FICA Guide

R100M

Maximum ML Penalty

15 Days

STR Filing Deadline

5 Years

Record Retention

R24,999

CTR Threshold

1. Schedule 1 Accountable Institutions

Under FICA Schedule 1, the following financial services entities are classified as accountable institutions with mandatory compliance obligations:

Banking

1(a)

Banks

Commercial banks registered under Banks Act 94 of 1990

1(b)

Mutual Banks

Banks registered under Mutual Banks Act 124 of 1993

1(c)

Cooperative Banks

Banks registered under Cooperative Banks Act 40 of 2007

1(d)

Authorised Dealers

Authorised dealers in foreign exchange under Currency and Exchanges Act

Insurance

1(e)

Long-term Insurers

Life insurance companies registered under Long-term Insurance Act

1(f)

Short-term Insurers

General insurance companies registered under Short-term Insurance Act

1(g)

Insurance Brokers

Insurance brokers registered under FAIS Act

1(h)

Underwriting Managers

Managing general agents and underwriting managers

Investment & Asset Management

1(i)

Stockbrokers

Members of licensed exchanges (JSE)

1(j)

Portfolio Managers

FSPs providing discretionary portfolio management

1(k)

CIS Managers

Collective investment scheme managers

1(l)

Pension Fund Administrators

Administrators of pension and provident funds

Payment Services

1(m)

Money Remitters

Money transfer services and remittance providers

1(n)

Payment Service Providers

Third-party payment processors

1(o)

E-Money Issuers

Electronic money institutions

1(p)

Crypto Asset Providers

Virtual asset service providers (VASPs)

2. Key Compliance Requirements

Financial services institutions must implement comprehensive compliance measures across all FICA requirements:

Customer Due Diligence (CDD)

Section 21

CRITICAL

Verify customer identity before establishing business relationships or conducting transactions.

Collect and verify identification documents
Verify against Home Affairs database
Understand nature and purpose of business relationship
Identify beneficial owners for entities
Document CDD process and outcomes

Enhanced Due Diligence (EDD)

Section 21A

CRITICAL

Apply additional scrutiny for high-risk customers and relationships.

Verify source of funds and source of wealth
Conduct enhanced PEP and sanctions screening
Obtain senior management approval
Apply enhanced ongoing monitoring
Document EDD rationale and approval

PEP & Sanctions Screening

Sections 21, 21A

CRITICAL

Screen all customers against PEP databases and international sanctions lists.

Screen at onboarding and periodically thereafter
Check UN, OFAC, EU, UK, and SA sanctions lists
Identify domestic and foreign PEPs
Apply EDD to all identified PEPs
Implement adverse media monitoring

Transaction Monitoring

Section 29

CRITICAL

Monitor transactions for suspicious activity indicative of money laundering or terrorist financing.

Implement automated transaction monitoring system
Define thresholds and red flag scenarios
Review alerts promptly
Escalate suspicious activity
File STRs within 15 days

Cash Threshold Reporting

Section 28

HIGH

Report cash transactions equal to or exceeding R24,999.99.

Implement CTR detection and reporting
Submit CTRs to FIC within 2 days
Aggregate related transactions
Train staff on cash handling
Document all cash transactions

Risk Management & Compliance Programme

Section 42

CRITICAL

Develop and maintain comprehensive RMCP approved by board.

Conduct enterprise-wide risk assessment
Develop written policies and procedures
Appoint compliance officer
Implement staff training programme
Conduct regular independent audits

Record Keeping

Sections 22-23

HIGH

Maintain all CDD and transaction records for minimum 5 years.

Retain identification documents
Keep transaction records
Document verification steps
Store STR filing records
Ensure records are readily retrievable

Staff Training

Section 42

HIGH

Train all relevant staff on FICA obligations and AML procedures.

Provide onboarding training
Conduct annual refresher training
Role-specific training for compliance staff
Document training attendance
Test staff knowledge

3. Risk Management Framework

FICA Section 42 requires financial institutions to implement a comprehensive Risk Management and Compliance Programme (RMCP). The RMCP must be approved by the board and regularly reviewed.

RMCP Components

Enterprise-wide risk assessment
Written policies and procedures
Customer risk classification methodology

Compliance function and officer
Staff training programme
Independent audit/testing

Risk Categories

Customer Risk

Customer type (individual, company, trust)
Industry/occupation
PEP status
Adverse media

Geographic Risk

Country of residence
Country of operations
High-risk jurisdictions (FATF)
Sanctions exposure

Product/Service Risk

Anonymous or bearer products
High-value transactions
Cross-border capabilities
Digital/remote channels

Channel Risk

Non-face-to-face onboarding
Third-party reliance
Agent/intermediary channels
Digital platforms

4. Red Flags & Warning Signs

Financial institutions must train staff to recognise red flags that may indicate money laundering, terrorist financing, or other financial crimes.

Customer Behaviour

Reluctance to provide identification information
Inconsistent or unusual documentation
Multiple accounts with no clear business purpose
Frequent changes to customer information
Attempts to avoid reporting thresholds

Transaction Patterns

Transactions inconsistent with customer profile
Large cash deposits followed by wire transfers
Round-amount or just-below-threshold transactions
Rapid movement of funds (in and out)
Transactions with high-risk jurisdictions

Account Activity

Dormant account suddenly active
High volume of transactions on new account
Multiple wire transfers to unrelated parties
Third-party funding without clear explanation
Complex layering of transactions

5. Reporting Obligations

Financial institutions have specific reporting obligations to the Financial Intelligence Centre (FIC):

Suspicious Transaction Reports (STRs) - Section 29

File within 15 business days of forming suspicion

Report all transactions suspected of ML/TF
Include attempted suspicious transactions
No de minimis threshold applies
Maintain confidentiality (no tipping off)

Cash Threshold Reports (CTRs) - Section 28

File within 2 business days of transaction

Report cash transactions ≥ R24,999.99
Aggregate related transactions
Include cross-border transactions
Automated submission via goAML

Terrorist Property Reports (TPRs) - Section 28A

File immediately upon knowledge

Report property related to terrorist activity
Report property linked to designated entities
Freeze property pending investigation

6. Penalties & Enforcement

Non-compliance with FICA carries severe penalties for financial institutions and their officers:

Violation	Penalty	Regulator
Failure to conduct CDD	Administrative penalty up to R10 million	FIC
Failure to file STR	Up to R10 million fine and/or 5 years imprisonment	FIC / NPA
Failure to file CTR	Administrative penalty	FIC
Money laundering offence	Up to R100 million and/or 15 years imprisonment	NPA
Tipping off	Up to R10 million and/or 15 years imprisonment	NPA
Failure to maintain RMCP	Administrative penalty, potential license conditions	FIC / SARB / FSCA

Director & Officer Liability

Directors and officers can be held personally liable for FICA violations. Section 68 provides that any person who aided, abetted, or knowingly participated in a contravention can be prosecuted alongside the institution.

7. Regulatory Bodies

FIC (Financial Intelligence Centre)

Primary FICA regulator and financial intelligence unit

Receives and analyses STRs/CTRs
Issues guidance and directives
Conducts inspections
Imposes administrative sanctions

SARB (South African Reserve Bank)

Prudential regulator for banks

Issues banking licenses
Supervises bank compliance
Coordinates with FIC on inspections

FSCA (Financial Sector Conduct Authority)

Market conduct regulator

Licenses FSPs under FAIS
Supervises insurance intermediaries
Regulates market conduct

PA (Prudential Authority)

Insurance and pension prudential regulator

Licenses insurers
Supervises pension funds
Sets prudential standards

8. Fintech & Digital Compliance

Fintech companies providing financial services must comply with the same FICA requirements as traditional institutions. Additional considerations apply for digital-first operations:

Digital Onboarding

eKYC through Home Affairs API
Biometric verification (facial recognition)
Document authentication
Liveness detection

Crypto/VASP Requirements

Full CDD for all transactions
Travel Rule compliance
Wallet screening
Blockchain analytics

Regulatory Sandbox

The FSCA and SARB offer regulatory sandboxes for fintech innovation. While in sandbox, fintechs may receive temporary exemptions but must still implement baseline AML controls and demonstrate compliance readiness.

9. Implementation Roadmap

Foundation

Conduct gap analysis
Appoint compliance officer
Develop RMCP framework
Register with FIC

Policies & Procedures

Draft CDD/EDD procedures
Create transaction monitoring rules
Develop STR filing procedures
Establish record keeping systems

Technology

Implement eKYC solution
Deploy transaction monitoring system
Integrate PEP/sanctions screening
Connect to goAML for reporting

Training

Train frontline staff on CDD
Train compliance team on EDD
Train staff on red flag detection
Document all training

Testing & Audit

Conduct independent RMCP audit
Test transaction monitoring effectiveness
Review sample CDD files
Address identified gaps

Ongoing

Periodic risk assessment updates
Annual RMCP review
Continuous staff training
Regulatory change monitoring

10. Frequently Asked Questions

Which financial institutions are FICA accountable institutions?

Under FICA Schedule 1, accountable institutions in the financial sector include banks, mutual banks, cooperative banks, insurance companies (long-term and short-term), pension fund administrators, stockbrokers, portfolio managers, collective investment scheme managers, and money remitters.

What are the FICA requirements for banks in South Africa?

Banks must perform customer due diligence (CDD) before opening accounts, verify customer identity against Home Affairs, screen for PEPs and sanctions, implement transaction monitoring, file suspicious transaction reports (STRs), and maintain records for 5 years. Enhanced due diligence is required for high-risk customers.

What penalties do financial institutions face for FICA non-compliance?

Financial institutions face severe penalties including administrative sanctions up to R50 million, criminal prosecution with fines up to R100 million and/or 15 years imprisonment for money laundering, license revocation, and reputational damage. The FIC and SARB actively enforce compliance.

Do fintech companies need to comply with FICA?

Yes, fintech companies providing financial services (payments, lending, investments) must comply with FICA. Payment service providers, money transfer businesses, and crypto asset service providers are all accountable institutions. Fintechs must implement full KYC, AML procedures, and transaction monitoring.

How often must financial institutions review customer risk?

Financial institutions must conduct ongoing customer due diligence with risk-based review frequency. High-risk customers require annual reviews, medium-risk every 2-3 years, and low-risk every 3-5 years. Reviews must also be triggered by changes in customer circumstances or suspicious activity.

Related Resources

FICA Complete Guide

KYC Guide

ID Verification

Streamline Financial Services Compliance

VerifyNow provides instant ID verification, PEP/sanctions screening, and automated compliance workflows built for banks, insurers, and investment firms.

Start Free Trial