FICA Compliance Guide: ID Verification Requirements

What is FICA?

The Financial Intelligence Centre Act (FICA), Act 38 of 2001, is South African legislation designed to combat money laundering, terrorist financing, and other illicit financial activities. FICA establishes a comprehensive framework for identifying and reporting suspicious transactions while protecting the integrity of South Africa's financial system.

The Act was significantly amended in 2017 through the Financial Intelligence Centre Amendment Act (Act 1 of 2017), which introduced more stringent requirements and aligned South Africa's anti-money laundering (AML) framework with international standards set by the Financial Action Task Force (FATF).

Key Objectives of FICA

• Prevent money laundering: Ensure that the financial system is not used to legitimize proceeds from criminal activities
• Combat terrorist financing: Identify and disrupt the funding of terrorist organizations and activities
• Detect financial crimes: Establish monitoring mechanisms to identify suspicious patterns and transactions
• International cooperation: Enable South Africa to cooperate with international efforts to combat financial crime
• Protect institutions: Safeguard accountable institutions from being used as vehicles for illicit financial activities

FICA requires accountable institutions to implement customer identification and verification procedures, commonly known as "Know Your Customer" (KYC) requirements. These procedures are fundamental to establishing and maintaining business relationships in South Africa's regulated financial sector.

Who Must Comply? Accountable Institutions

FICA defines "accountable institutions" as organizations that must comply with the Act's requirements. Schedule 1 of FICA lists all accountable institutions, which include a wide range of financial services providers and other businesses.

Primary Accountable Institutions

The 2017 Amendment Act expanded the definition of accountable institutions to include emerging financial services, such as crypto asset service providers, reflecting the evolving nature of financial services and potential money laundering risks.

Compliance Obligations

All accountable institutions must comply with FICA's core requirements, including:

• Registering with the Financial Intelligence Centre (FIC)
• Implementing customer due diligence (CDD) procedures
• Conducting ongoing monitoring of business relationships
• Reporting suspicious and unusual transactions
• Maintaining comprehensive records for specified periods
• Appointing a compliance officer (for larger institutions)
• Providing staff training on FICA requirements
• Implementing risk management and compliance programs (RMCPs)

Customer Due Diligence (CDD) vs Enhanced Due Diligence (EDD)

FICA requires accountable institutions to apply a risk-based approach to customer verification. This means the level of due diligence must be proportionate to the money laundering and terrorist financing risks presented by the customer or business relationship.

Customer Due Diligence (CDD)

CDD is the standard level of verification required for all customers before establishing a business relationship or conducting single transactions above R5,000. Under Section 21 of FICA, CDD must include:

• Identity verification: Confirming the customer's full name, date of birth, and identity number using a valid identification document
• Residential address verification:Establishing and verifying the customer's physical residential address
• Contact details: Obtaining telephone number and email address (where applicable)
• Nature of business: Understanding the customer's occupation or business activities
• Source of funds: Establishing the origin of funds or wealth for the business relationship
• Purpose of relationship: Understanding the intended nature and purpose of the business relationship

Enhanced Due Diligence (EDD)

EDD is required when dealing with high-risk customers or situations that present an elevated risk of money laundering or terrorist financing. Section 21A of FICA mandates EDD for:

• Politically Exposed Persons (PEPs): Domestic and foreign PEPs, their family members, and close associates
• High-risk jurisdictions: Customers from countries identified by the FATF as high-risk or non-cooperative
• Complex ownership structures: Entities with complex or opaque ownership that obscures beneficial ownership
• Unusual business activities: Transactions or relationships that do not have an apparent economic or lawful purpose
• Non-face-to-face customers: Business relationships established remotely without physical verification
• High-value transactions: Transactions significantly above normal for the customer profile

EDD Additional Measures

When EDD is required, accountable institutions must implement additional measures, including:

• Obtaining senior management approval for establishing or continuing the relationship
• Conducting enhanced monitoring of the business relationship
• Gathering additional information about the customer's source of wealth
• Understanding the reasons for intended or performed transactions
• Increasing the frequency and intensity of ongoing monitoring
• Conducting more frequent reviews of the relationship

ID Verification Requirements Under FICA

Section 21 of FICA sets out specific requirements for identifying and verifying customers. Accountable institutions must establish and verify the identity of clients before establishing a business relationship or conducting a single transaction above R5,000.

Individual Customers

For South African citizens and residents, identity verification must include:

• Full name: As it appears on the identification document
• Date of birth: Extracted from the ID number or passport
• ID number: South African identity number (validated against Department of Home Affairs records)
• Residential address: Physical address verified through utility bills, bank statements, or municipal accounts
• Valid identification document: Original or certified copy of SA ID card/book, passport, or driver's license

Foreign Nationals

For non-South African customers, verification must include:

• Valid passport with photograph
• Proof of South African residential address (if residing in SA)
• Valid visa or work permit (where applicable for residents)
• Tax identification number (foreign or South African)
• Country of residence and nationality verification through independent sources

Legal Entities and Trusts

When dealing with entities, accountable institutions must verify:

• Entity information: Registered name, registration number, registered address, and country of incorporation
• Founding documents: Certificate of incorporation, trust deed, partnership agreement, or memorandum of incorporation
• Authorized representatives: Identity verification of persons authorized to act on behalf of the entity
• Beneficial owners: Identification of natural persons who ultimately own or control 25% or more of the entity (Section 21B)
• Source of funds: Understanding the origin of the entity's assets and financial activities

Timing of Verification

FICA requires verification to be completed before establishing a business relationship. Specifically:

• Before establishing a relationship:Verification must be completed before opening an account or providing services
• Single transactions: Verification required for transactions equal to or above R5,000
• Linked transactions: Multiple transactions that appear to be linked must be aggregated to determine if they exceed the R5,000 threshold
• Suspicious transactions: Any transaction that raises suspicion must trigger verification regardless of value

Acceptable Verification Methods

FICA allows various methods for verifying customer identity:

• Face-to-face verification: Physical inspection of original documents
• Certified copies: Documents certified by authorized persons (police officers, commissioners of oaths, notaries)
• Electronic verification: Using databases such as Department of Home Affairs ID verification services
• Biometric verification: Fingerprint verification through Home Affairs systems
• Third-party verification: Reliance on verification conducted by another accountable institution (with proper agreements in place)

// FICA-compliant ID verification using SA ID Checker API
const verifyCustomerIdentity = async (idNumber, firstName, lastName) => {
  try {
    const response = await fetch('https://api.saidchecker.co.za/v1/verify', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer YOUR_API_KEY',
        'X-FICA-Compliance': 'true'
      },
      body: JSON.stringify({
        id_number: idNumber,
        first_name: firstName,
        last_name: lastName,
        verification_type: 'FICA_CDD',
        check_home_affairs: true,
        check_sanctions: true,
        check_pep: true
      })
    });

    const data = await response.json();

    if (data.verification_status === 'verified') {
      // Log verification for FICA record-keeping
      await logFICAVerification({
        customer_id: data.customer_id,
        verification_date: new Date().toISOString(),
        verification_method: 'electronic',
        id_number: idNumber,
        dha_match: data.home_affairs_match,
        pep_status: data.pep_status,
        sanctions_match: data.sanctions_match,
        risk_rating: data.risk_rating
      });

      return {
        success: true,
        customer_verified: true,
        edd_required: data.risk_rating === 'high',
        pep_detected: data.pep_status === 'match'
      };
    }

    return { success: false, error: data.error_message };
  } catch (error) {
    console.error('FICA verification failed:', error);
    return { success: false, error: error.message };
  }
};

// Usage
const result = await verifyCustomerIdentity(
  '9001015009087',
  'John',
  'Smith'
);

if (result.edd_required) {
  console.log('EDD required - escalate to compliance officer');
}

Record-Keeping Obligations

Section 22 of FICA imposes comprehensive record-keeping requirements on accountable institutions. Proper record-keeping is essential for regulatory compliance, audit trails, and assisting law enforcement investigations.

Minimum Retention Period

Accountable institutions must keep records for at least 5 years after:

• The date on which the business relationship is terminated, or
• The date on which the transaction is concluded (for single transactions)

The 5-year period ensures that historical records are available for investigations, as money laundering schemes often involve layering transactions over extended periods.

Records That Must Be Kept

1. Customer Identification Records

• Original or certified copies of identification documents
• Records of identity verification steps taken
• Address verification documentation
• Documentation establishing beneficial ownership (for entities)
• PEP screening results and risk assessment documentation
• Records of senior management approval (for high-risk customers)

2. Transaction Records

• Details of all transactions conducted with or for the customer
• Nature and date of the transaction and amounts involved
• Type of currency involved in the transaction
• Account numbers or other reference numbers for the transaction
• For cash transactions: the name and address of the person from whom cash was received or to whom it was paid

3. Ongoing Monitoring Records

• Records of ongoing monitoring activities and frequency
• Documentation of periodic customer relationship reviews
• Updated risk assessments and changes in customer risk profile
• Records of unusual or suspicious activity investigations
• Correspondence with customers regarding verification or monitoring

4. Compliance Program Records

• Risk Management and Compliance Program (RMCP) documentation
• Staff training records and attendance registers
• Internal audit reports and compliance testing results
• Suspicious transaction reports (STRs) filed with the FIC
• Records of compliance officer activities and decisions

Record Accessibility and Format

Records must be:

• Readily accessible: Available for immediate retrieval when requested by the FIC or other competent authorities
• Retrievable: Maintained in a format that allows for easy searching and extraction
• Legible: Clear and readable throughout the retention period
• Protected: Secured against unauthorized access, alteration, or destruction
• Electronic format acceptable: Digital records are permitted provided they meet security and accessibility requirements

Record Destruction

After the retention period expires:

• Records may be destroyed in accordance with the institution's document retention policy
• Destruction should be conducted securely to protect customer privacy
• Records should not be destroyed if they are subject to a legal hold or ongoing investigation
• Consider retaining records beyond the minimum period for business purposes or risk management

Penalties for Non-Compliance

FICA imposes severe penalties for non-compliance to ensure accountable institutions take their obligations seriously. The 2017 Amendment Act significantly increased penalties, demonstrating South Africa's commitment to combating financial crime.

Administrative Sanctions

The FIC Centre Director can impose administrative sanctions for non-compliance, including:

• Financial penalties up to R100 million: Section 45B allows for penalties proportionate to the severity and duration of non-compliance
• Cautions: Formal written warnings for minor or first-time violations
• Directives: Orders to take specific corrective action within a specified timeframe
• Public statements: Publication of non-compliance on the FIC website, causing reputational damage
• Referral to regulatory bodies: Notification to licensing authorities that may result in license suspension or revocation

Criminal Prosecution

Serious violations can result in criminal charges under FICA:

• Fines up to R100 million: For corporate entities found guilty of FICA contraventions
• Imprisonment up to 15 years: For individuals involved in serious contraventions such as:
  • Failure to report suspicious transactions (Section 29)
  • Tipping off suspects about investigations (Section 30)
  • Deliberate failure to implement required controls
• Director and officer liability: Senior management can be held personally liable for compliance failures

Specific Offences and Penalties

Additional Consequences

Beyond fines and imprisonment, non-compliance can result in:

• Reputational damage: Public disclosure of non-compliance severely damages customer trust and brand value
• Loss of business licenses: Regulatory bodies may suspend or revoke operating licenses
• Increased scrutiny: Enhanced monitoring by regulators and more frequent inspections
• Civil liability: Customers or third parties may pursue civil claims for damages
• Loss of banking relationships: Banks may close accounts or refuse to provide services to non-compliant institutions
• International sanctions: Non-compliance can result in FATF grey-listing or blacklisting for South Africa, impacting all businesses

Recent Enforcement Actions

The FIC has demonstrated its willingness to enforce compliance, with recent actions including:

• Multi-million rand fines imposed on major banks for inadequate CDD procedures
• Criminal prosecution of estate agents for failure to register and verify customers
• Public censures of attorneys and accountants for deficient record-keeping
• Suspension of money remitter licenses for systematic non-compliance

How SA ID Checker Helps with FICA Compliance

SA ID Checker provides a comprehensive solution for accountable institutions to meet their FICA obligations efficiently and cost-effectively. Our platform is designed specifically for the South African regulatory environment and integrates seamlessly with your existing systems.

Core Compliance Features

1. Instant ID Verification

• Real-time validation of South African ID numbers against Department of Home Affairs records
• Automatic extraction and verification of demographic data (name, date of birth, gender)
• ID number format validation and checksum verification
• Detection of invalid, fraudulent, or deceased person ID numbers
• Support for green barcoded ID cards and smart ID cards

2. PEP and Sanctions Screening

• Comprehensive screening against Politically Exposed Persons (PEP) databases
• Sanctions list screening (UN, EU, OFAC, and local sanctions)
• Adverse media checks for negative news and criminal activity
• Ongoing monitoring with alerts for new PEP or sanctions matches
• Risk scoring to determine when Enhanced Due Diligence is required

3. Address Verification

• Verification of residential addresses through multiple data sources
• Postal address validation and standardization
• Proof of residence document verification (utility bills, statements)
• Geographic risk assessment based on address location

4. Automated Record-Keeping

• Secure storage of all verification records for the required 5-year period
• Comprehensive audit trails of all verification activities
• Timestamped records of who performed verifications and when
• Easy retrieval of historical records for regulatory inspections
• Automated retention management with alerts before expiry

5. Risk Assessment and EDD Triggers

• Automated risk scoring based on multiple factors (PEP status, jurisdiction, transaction patterns)
• Configurable risk thresholds aligned with your RMCP
• Automatic flagging of customers requiring Enhanced Due Diligence
• Workflow management for EDD cases requiring senior management approval
• Periodic re-screening and ongoing monitoring automation

Integration and Implementation

SA ID Checker integrates easily into your existing systems:

• RESTful API: Simple JSON-based API for programmatic integration
• Web interface: User-friendly portal for manual verifications and reporting
• Webhook notifications: Real-time alerts for PEP matches, sanctions hits, and risk changes
• Bulk processing: Upload and verify large customer databases for portfolio screening
• White-label options: Branded verification pages for customer-facing applications

Compliance Reporting

Generate the reports you need for regulatory compliance and internal audits:

• FICA compliance reports showing verification completion rates
• High-risk customer reports for EDD tracking and management
• PEP and sanctions screening summary reports for board presentations
• Audit trail reports for FIC inspections and internal audits
• Custom reports tailored to your specific regulatory and business requirements

Cost and Efficiency Benefits

• Reduce manual processing: Automate 95% of standard ID verifications
• Lower compliance costs: Pay-per-use pricing with no expensive infrastructure required
• Faster customer onboarding: Complete verification in seconds instead of hours or days
• Reduce fraud losses: Detect fraudulent IDs and identity theft attempts
• Avoid penalties: Ensure consistent, thorough compliance with FICA requirements

FICA Compliance Implementation Checklist

Use this comprehensive checklist to ensure your organization meets all FICA requirements. This checklist is designed for accountable institutions implementing or reviewing their FICA compliance program.