What is FICA Compliance, and How Digital Forms Make It Painless
FICA in plain English - who it applies to, what you have to collect, what counts as a verified record, and how to do KYC without a paper folder.
By FlexForms Team · · 7 min read
FICA in one paragraph
The Financial Intelligence Centre Act, 2001 (FICA) is South Africa’s anti-money-laundering and counter-terror-financing law. It requires certain businesses — called accountable institutions — to know who their customers are, keep records of that information, and report suspicious transactions to the Financial Intelligence Centre (FIC). The customer-identification side of FICA is what most people mean when they say “FICA compliance”: collecting an ID copy, proof of address, and supporting information when onboarding a client.
Who has to FICA?
FICA applies to accountable institutions listed in Schedule 1 of the Act. The list was significantly expanded by the General Laws (Anti-Money Laundering and Combating Terrorism Financing) Amendment Act in 2022. It now includes, among others:
- Banks, mutual banks, and the Postbank.
- Authorised financial services providers (FSPs) and long-term insurers.
- Attorneys and trust company service providers.
- Estate agents and high-value-goods dealers (R100,000+ cash transactions).
- Crypto asset service providers.
- Co-operative banks and money-remittance providers.
If you’re an accountable institution, you must be registered with the FIC, have a Risk Management and Compliance Programme (RMCP) in place, and conduct customer due diligence (CDD) on every client.
What you actually have to collect
FICA’s 2017 amendments shifted South Africa from a tick-box approach to a risk-based approach. The exact information you collect depends on the risk profile of the client, but the baseline for an individual is:
- Full names and surname.
- South African ID number (or passport number for non-citizens).
- Date of birth.
- Residential address.
- Income tax number, if registered.
- Source of funds and source of wealth (for higher-risk clients).
For a juristic person (company, CC, trust), you’re also collecting registration documents, proof of address, names of directors / members / trustees, and identifying the beneficial owners — the natural persons who ultimately own or control the entity.
What counts as a verified record?
A FICA record needs to do three things:
- Identify the client (the information above).
- Verify the information against an independent source — an ID document, a recent utility bill, the CIPC register, the SARS database, or a sanctions / PEP screening service.
- Be retrievable for at least five years after the business relationship ends, in a form that can be produced to the FIC on request.
Why paper FICA folders go wrong
The classic FICA failure mode is a filing cabinet of A4 envelopes with photocopied IDs, faded utility bills, and a sticky note saying “need to recheck address”. The compliance officer can’t tell at a glance which clients are out of date, which are missing documents, and which were screened against PEP and sanctions lists. When the FIC inspects, that ambiguity becomes a finding.
How digital forms change the picture
A purpose-built FICA onboarding form does the boring parts for you:
- Structured fields — ID number is validated as you type, address is captured in components rather than free text, and required fields can’t be skipped.
- Document upload — ID and proof of address attach to the record, not a separate folder.
- OTP signing — the client confirms their information by entering a PIN sent to the mobile or email number on file.
- Audit trail — every change, every signature, every download is timestamped.
- Renewal reminders — when an address proof is older than 3 months or a record is approaching review date, the system flags it.
What about POPIA?
FICA forces you to collect personal information; POPIA tells you how to handle it once you have it. The two work together:
- Collect only what FICA requires (data minimisation under POPIA).
- Store it securely, with access controls and an audit log.
- Tell the client what you’re collecting, why, and how long you’ll keep it — FICA’s 5-year retention is a legal basis for keeping it that long.
- Have a plan for handling subject-access requests and deletion requests at the end of the retention period.
Practical checklist
- Confirm whether your business is an accountable institution under Schedule 1.
- Register with the FIC via the goAML portal if you are.
- Build (or buy) a digital onboarding form that captures the FICA fields and supporting documents in one go.
- Add PEP and sanctions screening — either via an integrated service or as a separate workflow.
- Store records electronically with retention dates, retrievable for at least 5 years.
- Document the whole process in your Risk Management and Compliance Programme (RMCP).
This article is general information and not legal or compliance advice. For your business’s obligations, consult a qualified compliance professional or attorney.
Related reading
- Electronic Signatures in South Africa: A Practical Legal Guide — What ECTA actually says about e-signatures, when they hold up in court, when you still need wet ink, and how to make digital signatures defensible.