KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

namedate of birthidentity numberresidential address compared to information used for verification purposes

KYC to onboard international persons

namedate of birthidentity numberresidential address compared to information used for verification purposesresidential address

corporate requirements

registered nameregistration numberregistered addresstrading nameentity addressidentity of board of directors

National ID card name

South African identity card

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

Electronic Communication and Transactions Act 25 of 2002

E-sig law files

south africa.pdf

What year did the relevant AML laws and regulations become effective?

2010

Further details on AML regime

The Money Laundering and Terrorist Financing Control regulations were published in Dec 2002 and have been amended on various occasions, the most recent being in Nov 2010.

Who is the regulator for AML controls for Banking

South African Reserve Bank

Link to site

www.resbank.co.za/

Other financial Services

Financial Services Board

Website of Regulator

https://www.fsb.co.za/Pages/Home.aspx

Financial Sector regulator

www.ngb.org.za/, www.eaab.org.za/, www.lssa.org.za/

Practical Guidance for AML

The FICA has issued various guidance notes with regards to AML requirements

Practical guidance PDF's

Is there a requirement to verify the identity of customers retroactively?

Yes

Retroactive details

Yes. Banks and other accountable institutions were required to retrospectively identify and verify the identity and other information of all clients that held accounts with them at the time that the law became operational. An accountable institution that had an established business relationship with a client before the FICA took effect may not conclude a transaction in the course of that business relationship, unless it has taken the prescribed steps to establish and verify the identity of the client.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

The last FATF Mutual Evaluation conducted on South Africa was finalised in 2008. The applicable report was published on 02 Mar 2008

PDF of FATF review

Are there minimum transaction thresholds (Y/N)

More details on minimum transaction thresholds.

No. Due diligence is always required for all client relationships and single transactions, irrespective of the value involved. However the law does make a provision for certain exemptions where a reduced level of due diligence is permitted. These exemptions form part of the FICA regulations and affect various industries.

What are the requirements for customer identification information for individuals

An accountable institution must verify the full name, date of birth and identity number of a natural person to an identification document of that person. The residential address must be compared to information that can be used for verification purposes (e.g. a utility bill stating the residential address of the individual).

Details to be Collected on Corporates

The registered name, registration number, registered address, trading name and the address of the entity as well as the identity of the board of directors of the company and each authorised person. The FICA regulations contain the detail of other requirements pertaining to these as well as other persons/entities (foreign nationals, agents, foreign companies, trusts, partnerships and close corporations).

What are the high level requirements around beneficial ownership (identification and verification)?

The FICA stipulates, inter alia, that the identity of the client, or if the client is acting on behalf of another person, the person acting on behalf of the client, must be established and verified. The regulations have put in place measures to determine beneficial owners in respect of entities. For example, the particulars of every member and every representative of a close corporation must be obtained. In respect of a company the particulars of its manager and representatives must be provided as well as the particulars of its major shareholders who are able to exercise more than 25% of the votes at a general meeting of the company. In respect of trusts, the identity of the founder, beneficiaries and trustees must be established. The Act is currently being amended to include due diligence requirements for ultimate beneficial ownership; we expect these amendments to be promulgated during 2016.

What circumstances are enhanced customer due diligence measures required?

The FICA Guidance note 3A states that accountable institutions should follow a risk-based approach to customer due-diligence. Clients are given a risk-rating based on various risk factors. High-risk client types, high risk transactions and services warrant enhanced due diligence procedures. Enhanced due diligence is also recommended when the client is identified as a PEP; when non-face-to-face verification is undertaken, if the client is a correspondent bank, money service business, intermediary or an employee account.

How should FI's deal with Politically exposed persons

Guidance from the FIC defining PEPs stipulates that the bank should conduct enhanced due diligence specifically on PEPs, persons acting on their behalf as well as their families and close associates. The Wolfsberg principles as well as the FATF recommendations are referred to for additional guidance on how to recognise and deal with a PEP. In addition to performing customer due diligence measures, banks should put in place appropriate risk management systems to determine whether a customer, a potential customer or the beneficial owner is a PEP. The Act is currently being amended to include an enhanced definition of PEPs; we expect these amendments to be promulgated during 2016.

What enhanced due diligence must be performed for correspondent banking relationships?

The FIC guidance notes provide that banks should pay particular attention when continuing relationships with correspondent banks located in jurisdictions that have poor KYC standards or have been identified by FATF as being “non co-operative”. The Wolfsberg principles are referred to which set out the following risk indicators that a Bank shall consider, to ascertain the level of due diligence it will undertake, namely the correspondent banking client’s domicile, ownership and management structures and business and customer base.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

The FIC guidance notes provide that banks should refuse to enter into or continue a correspondent banking relationship with a bank incorporated in a jurisdiction in which it has no physical presence and which is unaffiliated with a regulated financial group (i.e. shell banks).

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

The FICA Regulations and guidance notes provide for instances in which client information is obtained in a non face-to-face situation. In such cases, banks “must take reasonable steps” to confirm the existence of the client and to verify the identity of the natural person involved, for example, receipt of faxes. In accepting business from non face-to-face customers banks should apply customer identification procedures to non face-to-face customers that are as effective as those that were applied to customers who were available for interview; there must be specific and adequate measures to mitigate the higher risk. Decisions concerning the additional steps to be taken in cases of a non face-to-face situation should be based on a bank’s risk framework.

To whom are SAR's made? (suspicious activity reports)

Financial Intelligence Centre (“FIC”)

Link to website of SAR reporting

https://www.fic.gov.za/

Other Suspicious or unusual transactions obligations.

Yes, the FICA has additional reporting requirements as contained within its Regulations. These are: a) Regulation 22A: Information to be reported concerning property associated with terrorist and related activities; and b) Regulation 22B: Cash threshold reporting.

Are there any de-minimis thresholds below which transactions do not need to be reported?

Cash transactions below ZAR24,999 (approx. USD1,560) do not need to be reported as per the terms of Regulation 22B. However, suspicious transactions do not have de-minimis thresholds. The FICA makes provision for conveyance of cash to or from the Republic (section 30) and for electronic transfers of money to and from the Republic, these amounts have however not as of yet come into effect.

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Not reporting within the required time period may lead to a maximum imprisonment of six months and/or a ZAR100,000 (approx. USD6,260) fine. Penalties for not reporting a suspicion or tipping off may lead to a maximum 15 years imprisonment and/or a ZAR10m (approx. USD625,960) fine. These can be imposed on an individual within an accountable institution.

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Once a suspicious transaction has been reported, section 33 of the FICA allows an accountable institution to continue with the relationship/transaction unless directed otherwise by the FIC. This is confirmed by Guidance Note 4 on Suspicious Transaction Reporting, issued by the FIC on 14 Mar2008.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

No. South African law only applies within the borders of the country.

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

No such requirement is in place.

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

Data Protection Laws And Personal Data

yes. POPI is intended to protect the integrity and sensitivity of private information. In response, entities operating in sectors that request personal particulars – such as financial services or telecommunications – will be required to carefully manage the data capture and storage process

Data Protection for Corporate Data

entities operating in sectors that request personal particulars – such as financial services or telecommunications – will be required to carefully manage the data capture and storage process

Data protection for "sensitive Data" and additional protections.

Do any restrictions on the transfer of credit reports exist?

There are prohibitions on the transfer of certain information outside the Republic with a few exceptions e.g. the data subject consents to the transfer; the recipient of the information is subject to a law, binding code of conduct or contract, etc. Section 25 prohibits the processing of information related to a: a) child who is subject to parental control in terms of the law; or b) data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour.

Regulator Acronym

SARN

Year of last FATF mutual evaluation

2015, 2009

National ID card details

An Identity Card (ID), is issued at age 16 to all citizens; and permanent residents.

Compulsory?

National ID source

https://www.lawtrust.co.za/solutions/smart-id-card/south-african-national-id-card/

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Requirement to proceed

Yes

requirement to use automated suspicious transaction tools

Who are SARS made to?

FIC

shell banks

Yes

EDD for correspondent banking

Yes

Personal Data protection

Personal Data Protection Act

https://home.kpmg.com/content/dam/kpmg/pdf/2016/07/za-POPI-ACT.pdf

key restrictions

The law excludes long-term leases; transfers of property; the execution, retention and presentation of wills; and bills of exchange.

Summary

As long as the parties consent to electronic signatures per Section 13. Summary of law South Africa generally follows the EU Directive on Electronic Signatures. It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case. Consent is the prerequisite for allowing electronic signatures. However, according to Section 13(5) of the Electronic Communications and Transactions Act, if the parties have not agreed on a specific type of electronic signature, as long as there is a) a method to identify the person and to indicate the person’s approval of the information communicated; and b) the method is reliable and appropriate for the purpose for which the information was communicated, electronic signatures are also legal, admissible and enforceable in South Africa.

Are e-signatures acceptable

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

The main amendments to FICA do not detract from the original AML requirements but rather clarify areas in the law. The purpose of the amendments are inter alia to clarify the roles and responsibilities of supervisory bodies; authorise the Financial Intelligence Centre and supervisory bodies to conduct inspections; to provide for administrative sanctions and to make further provision for offences. Guidance Note 3A, issued in Mar 2013; rendered Guidance notes authoritative in nature, thus ensuring that accountable institutions adopt a risk based approach and take heed of High Risk clients and enhanced due diligence requirements for these.

Non financial sector (e.g. casinos, high value goods etc.)

Casinos - National Gambling Board, Real Estate - Estate Agency Affairs Board, Attorneys - Law Society

Does the country have a risk based approach?

Yes, although the FICA, 38 of 2001 and the regulations do not expressly make reference to a risk-based approach, it is covered in Guidance Note 1 issued by the FIC in Ap 2004 and reinforced by Guidance Note 3A issued in Mar 2013. Guidance Notes were declared to be authoritative in nature at this date and therefore accountable institutions are expected to apply a risk-based approach inter alia in respect of customer relationships. The Act is currently being reviewed to incorporate a risk-based approach; we expect the amended Act to be promulgated during in 2016.

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

Although the FICA stipulates that a record must be kept of the identity document, it does not specify the requirements pertaining to authentication. In terms of the guidance notes and best practices, it would be sufficient to review the original identity document and to obtain a copy of a document which is either certified by a Commissioner of Oaths; or where the original has been sighted by an employee of the accountable institution, and an indication of such is made on the copy. Guidance is also provided on non face-to-face verification by the FIC. Where non face-to-face verification is accepted as a means, the verification methods used must be as effective as those that are applied to customers who are available for an interview.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

There are prohibitions on the transfer of certain information outside the Republic, but none we are aware of in respect of transfer of information into the Republic.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

No. However, in terms of case law, the confidentiality of customer information is considered a qualified legal right that can be overridden by greater public interest.