FICA Compliance Guide: ID Verification Requirements

What is FICA?

The Financial Intelligence Centre Act (FICA), Act 38 of 2001, is South African legislation designed to combat money laundering, terrorist financing, and other illicit financial activities. FICA establishes a comprehensive framework for identifying and reporting suspicious transactions while protecting the integrity of South Africa's financial system.

The Act was significantly amended in 2017 through the Financial Intelligence Centre Amendment Act (Act 1 of 2017), which introduced more stringent requirements and aligned South Africa's anti-money laundering (AML) framework with international standards set by the Financial Action Task Force (FATF).

Key Objectives of FICA

• Prevent money laundering: Ensure that the financial system is not used to legitimize proceeds from criminal activities
• Combat terrorist financing: Identify and disrupt the funding of terrorist organizations and activities
• Detect financial crimes: Establish monitoring mechanisms to identify suspicious patterns and transactions
• International cooperation: Enable South Africa to cooperate with international efforts to combat financial crime
• Protect institutions: Safeguard accountable institutions from being used as vehicles for illicit financial activities

FICA requires accountable institutions to implement customer identification and verification procedures, commonly known as "Know Your Customer" (KYC) requirements. These procedures are fundamental to establishing and maintaining business relationships in South Africa's regulated financial sector.

Who Must Comply? Accountable Institutions

FICA defines "accountable institutions" as organizations that must comply with the Act's requirements. Schedule 1 of FICA lists all accountable institutions, which include a wide range of financial services providers and other businesses.

Primary Accountable Institutions

The 2017 Amendment Act expanded the definition of accountable institutions to include emerging financial services, such as crypto asset service providers, reflecting the evolving nature of financial services and potential money laundering risks.

Compliance Obligations

All accountable institutions must comply with FICA's core requirements, including:

• Registering with the Financial Intelligence Centre (FIC)
• Implementing customer due diligence (CDD) procedures
• Conducting ongoing monitoring of business relationships
• Reporting suspicious and unusual transactions
• Maintaining comprehensive records for specified periods
• Appointing a compliance officer (for larger institutions)
• Providing staff training on FICA requirements
• Implementing risk management and compliance programs (RMCPs)

Customer Due Diligence (CDD) vs Enhanced Due Diligence (EDD)

FICA requires accountable institutions to apply a risk-based approach to customer verification. This means the level of due diligence must be proportionate to the money laundering and terrorist financing risks presented by the customer or business relationship.

Customer Due Diligence (CDD)

CDD is the standard level of verification required for all customers before establishing a business relationship or conducting single transactions above R5,000. Under Section 21 of FICA, CDD must include:

• Identity verification: Confirming the customer's full name, date of birth, and identity number using a valid identification document
• Residential address verification:Establishing and verifying the customer's physical residential address
• Contact details: Obtaining telephone number and email address (where applicable)
• Nature of business: Understanding the customer's occupation or business activities
• Source of funds: Establishing the origin of funds or wealth for the business relationship
• Purpose of relationship: Understanding the intended nature and purpose of the business relationship

Enhanced Due Diligence (EDD)

EDD is required when dealing with high-risk customers or situations that present an elevated risk of money laundering or terrorist financing. Section 21A of FICA mandates EDD for:

• Politically Exposed Persons (PEPs): Domestic and foreign PEPs, their family members, and close associates
• High-risk jurisdictions: Customers from countries identified by the FATF as high-risk or non-cooperative
• Complex ownership structures: Entities with complex or opaque ownership that obscures beneficial ownership
• Unusual business activities: Transactions or relationships that do not have an apparent economic or lawful purpose
• Non-face-to-face customers: Business relationships established remotely without physical verification
• High-value transactions: Transactions significantly above normal for the customer profile

EDD Additional Measures

When EDD is required, accountable institutions must implement additional measures, including:

• Obtaining senior management approval for establishing or continuing the relationship
• Conducting enhanced monitoring of the business relationship
• Gathering additional information about the customer's source of wealth
• Understanding the reasons for intended or performed transactions
• Increasing the frequency and intensity of ongoing monitoring
• Conducting more frequent reviews of the relationship

ID Verification Requirements Under FICA

Section 21 of FICA sets out specific requirements for identifying and verifying customers. Accountable institutions must establish and verify the identity of clients before establishing a business relationship or conducting a single transaction above R5,000.

Individual Customers

For South African citizens and residents, identity verification must include:

• Full name: As it appears on the identification document
• Date of birth: Extracted from the ID number or passport
• ID number: South African identity number, confirmed against the holder's identification document
• Residential address: Physical address verified through utility bills, bank statements, or municipal accounts
• Valid identification document: Original or certified copy of SA ID card/book, passport, or driver's license

Foreign Nationals

For non-South African customers, verification must include:

• Valid passport with photograph
• Proof of South African residential address (if residing in SA)
• Valid visa or work permit (where applicable for residents)
• Tax identification number (foreign or South African)
• Country of residence and nationality verification through independent sources

Legal Entities and Trusts

When dealing with entities, accountable institutions must verify:

• Entity information: Registered name, registration number, registered address, and country of incorporation
• Founding documents: Certificate of incorporation, trust deed, partnership agreement, or memorandum of incorporation
• Authorized representatives: Identity verification of persons authorized to act on behalf of the entity
• Beneficial owners: Identification of natural persons who ultimately own or control 25% or more of the entity (Section 21B)
• Source of funds: Understanding the origin of the entity's assets and financial activities

Timing of Verification

FICA requires verification to be completed before establishing a business relationship. Specifically:

• Before establishing a relationship:Verification must be completed before opening an account or providing services
• Single transactions: Verification required for transactions equal to or above R5,000
• Linked transactions: Multiple transactions that appear to be linked must be aggregated to determine if they exceed the R5,000 threshold
• Suspicious transactions: Any transaction that raises suspicion must trigger verification regardless of value

Acceptable Verification Methods

FICA allows various methods for verifying customer identity:

• Face-to-face verification: Physical inspection of original documents
• Certified copies: Documents certified by authorized persons (police officers, commissioners of oaths, notaries)
• Electronic verification: Using databases such as Department of Home Affairs ID verification services
• Biometric verification: Fingerprint verification through Home Affairs systems
• Third-party verification: Reliance on verification conducted by another accountable institution (with proper agreements in place)

// Structural SA ID number validation using the SA ID Checker API
const validateIdNumber = async (idNumber) => {
  try {
    const response = await fetch('https://api.saidchecker.co.za/v1/validate', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer YOUR_API_KEY'
      },
      body: JSON.stringify({
        id_number: idNumber
      })
    });

    const data = await response.json();

    if (data.is_valid) {
      // Use the decoded details as one input into your CDD process.
      // No ID number or decoded personal details are stored by SA ID Checker;
      // only privacy-safe usage metadata (is_valid, source, timestamp) is logged.
      return {
        success: true,
        is_valid: true,
        date_of_birth: data.date_of_birth,
        age: data.age,
        gender: data.gender,
        citizenship: data.citizenship
      };
    }

    return { success: false, is_valid: false, error: data.error_message };
  } catch (error) {
    console.error('ID number validation failed:', error);
    return { success: false, error: error.message };
  }
};

// Usage
const result = await validateIdNumber('9001015009087');

if (result.is_valid) {
  console.log('ID number is structurally valid - continue your CDD checks');
}

Record-Keeping Obligations

Section 22 of FICA imposes comprehensive record-keeping requirements on accountable institutions. Proper record-keeping is essential for regulatory compliance, audit trails, and assisting law enforcement investigations.

Minimum Retention Period

Accountable institutions must keep records for at least 5 years after:

• The date on which the business relationship is terminated, or
• The date on which the transaction is concluded (for single transactions)

The 5-year period ensures that historical records are available for investigations, as money laundering schemes often involve layering transactions over extended periods.

Records That Must Be Kept

1. Customer Identification Records

• Original or certified copies of identification documents
• Records of identity verification steps taken
• Address verification documentation
• Documentation establishing beneficial ownership (for entities)
• PEP screening results and risk assessment documentation
• Records of senior management approval (for high-risk customers)

2. Transaction Records

• Details of all transactions conducted with or for the customer
• Nature and date of the transaction and amounts involved
• Type of currency involved in the transaction
• Account numbers or other reference numbers for the transaction
• For cash transactions: the name and address of the person from whom cash was received or to whom it was paid

3. Ongoing Monitoring Records

• Records of ongoing monitoring activities and frequency
• Documentation of periodic customer relationship reviews
• Updated risk assessments and changes in customer risk profile
• Records of unusual or suspicious activity investigations
• Correspondence with customers regarding verification or monitoring

4. Compliance Program Records

• Risk Management and Compliance Program (RMCP) documentation
• Staff training records and attendance registers
• Internal audit reports and compliance testing results
• Suspicious transaction reports (STRs) filed with the FIC
• Records of compliance officer activities and decisions

Record Accessibility and Format

Records must be:

• Readily accessible: Available for immediate retrieval when requested by the FIC or other competent authorities
• Retrievable: Maintained in a format that allows for easy searching and extraction
• Legible: Clear and readable throughout the retention period
• Protected: Secured against unauthorized access, alteration, or destruction
• Electronic format acceptable: Digital records are permitted provided they meet security and accessibility requirements

Record Destruction

After the retention period expires:

• Records may be destroyed in accordance with the institution's document retention policy
• Destruction should be conducted securely to protect customer privacy
• Records should not be destroyed if they are subject to a legal hold or ongoing investigation
• Consider retaining records beyond the minimum period for business purposes or risk management

Penalties for Non-Compliance

FICA imposes severe penalties for non-compliance to ensure accountable institutions take their obligations seriously. The 2017 Amendment Act significantly increased penalties, demonstrating South Africa's commitment to combating financial crime.

Administrative Sanctions

The FIC Centre Director can impose administrative sanctions for non-compliance, including:

• Financial penalties up to R100 million: Section 45B allows for penalties proportionate to the severity and duration of non-compliance
• Cautions: Formal written warnings for minor or first-time violations
• Directives: Orders to take specific corrective action within a specified timeframe
• Public statements: Publication of non-compliance on the FIC website, causing reputational damage
• Referral to regulatory bodies: Notification to licensing authorities that may result in license suspension or revocation

Criminal Prosecution

Serious violations can result in criminal charges under FICA:

• Fines up to R100 million: For corporate entities found guilty of FICA contraventions
• Imprisonment up to 15 years: For individuals involved in serious contraventions such as:
  • Failure to report suspicious transactions (Section 29)
  • Tipping off suspects about investigations (Section 30)
  • Deliberate failure to implement required controls
• Director and officer liability: Senior management can be held personally liable for compliance failures

Specific Offences and Penalties

Additional Consequences

Beyond fines and imprisonment, non-compliance can result in:

• Reputational damage: Public disclosure of non-compliance severely damages customer trust and brand value
• Loss of business licenses: Regulatory bodies may suspend or revoke operating licenses
• Increased scrutiny: Enhanced monitoring by regulators and more frequent inspections
• Civil liability: Customers or third parties may pursue civil claims for damages
• Loss of banking relationships: Banks may close accounts or refuse to provide services to non-compliant institutions
• International sanctions: Non-compliance can result in FATF grey-listing or blacklisting for South Africa, impacting all businesses

Recent Enforcement Actions

The FIC has demonstrated its willingness to enforce compliance, with recent actions including:

• Multi-million rand fines imposed on major banks for inadequate CDD procedures
• Criminal prosecution of estate agents for failure to register and verify customers
• Public censures of attorneys and accountants for deficient record-keeping
• Suspension of money remitter licenses for systematic non-compliance

How SA ID Checker Fits into FICA Compliance

SA ID Checker handles one specific, well-defined step of the customer-identification process: validating the structure of a South African ID number and decoding the details it carries. It is a building block for your FICA workflow, not a substitute for it. Identity verification, address verification, PEP and sanctions screening, beneficial-ownership checks, risk rating, ongoing monitoring, and record-keeping remain your responsibility (typically handled by your own systems and specialist providers).

What SA ID Checker Does

• Structural validation: Checks the 13-digit format, the validity of the embedded date, and the Luhn checksum to confirm an ID number is well-formed
• Decoded details: Reads the date of birth, age, gender, and citizenship classification carried in the number itself — useful as one input when capturing customer details
• Downloadable certificate: Generates a certificate at validation time that you can retain in your own records as evidence that a structural check was performed
• Bulk CSV and REST API: Validate a single number through the web interface, upload a CSV to validate many at once, or call the REST API to integrate validation into your onboarding flow
• Privacy-safe logging: We store only usage metadata about a check — whether it passed, the source (web, CSV, or API), the timestamp, and the account that ran it. We do not store the ID number itself or the decoded personal details

What SA ID Checker Does Not Do

The following FICA-related steps are outside the scope of SA ID Checker and must be handled separately:

• Verifying identity against Department of Home Affairs records or any government database
• Confirming that a physical ID document is genuine or belongs to the person presenting it
• PEP, sanctions, anti-money-laundering, or adverse-media screening
• Detecting deceased persons, fraud, or assigning a risk rating
• Residential or postal address verification
• Maintaining retrievable, ID-level audit trails or 5-year verification records on your behalf

Where It Helps in Your Workflow

Used correctly, structural validation removes obvious errors early and speeds up data capture:

• Catch typos and malformed numbers up front: Reject structurally invalid ID numbers before they enter your CDD process, reducing rework downstream
• Pre-fill capture fields: Use the decoded date of birth, age, gender, and citizenship as a starting point for the customer details you record
• Process lists efficiently: Use bulk CSV or the API to validate many ID numbers at once when cleaning or onboarding records
• Keep your own evidence: Attach the downloadable certificate to your records to show a structural check was carried out

FICA Compliance Implementation Checklist

Use this comprehensive checklist to ensure your organization meets all FICA requirements. This checklist is designed for accountable institutions implementing or reviewing their FICA compliance program.