Global Regulations and Requirements for KYC Onboarding
(powered by KYCC small icon KYC-Chain)

Contact us

namedate of birthidentity numberresidential address compared to information used for verification purposes
namedate of birthidentity numberresidential address compared to information used for verification purposesresidential address
registered nameregistration numberregistered addresstrading nameentity addressidentity of board of directors
South African identity card
Electronic Communication and Transactions Act 25 of 2002
The Money Laundering and Terrorist Financing Control regulations were published in Dec 2002 and have been amended on various occasions, the most recent being in Nov 2010.
South African Reserve Bank
Financial Services Board,,
The FICA has issued various guidance notes with regards to AML requirements
Yes. Banks and other accountable institutions were required to retrospectively identify and verify the identity and other information of all clients that held accounts with them at the time that the law became operational. An accountable institution that had an established business relationship with a client before the FICA took effect may not conclude a transaction in the course of that business relationship, unless it has taken the prescribed steps to establish and verify the identity of the client.
The last FATF Mutual Evaluation conducted on South Africa was finalised in 2008. The applicable report was published on 02 Mar 2008
No. Due diligence is always required for all client relationships and single transactions, irrespective of the value involved. However the law does make a provision for certain exemptions where a reduced level of due diligence is permitted. These exemptions form part of the FICA regulations and affect various industries.
An accountable institution must verify the full name, date of birth and identity number of a natural person to an identification document of that person. The residential address must be compared to information that can be used for verification purposes (e.g. a utility bill stating the residential address of the individual).
The registered name, registration number, registered address, trading name and the address of the entity as well as the identity of the board of directors of the company and each authorised person. The FICA regulations contain the detail of other requirements pertaining to these as well as other persons/entities (foreign nationals, agents, foreign companies, trusts, partnerships and close corporations).
The FICA stipulates, inter alia, that the identity of the client, or if the client is acting on behalf of another person, the person acting on behalf of the client, must be established and verified. The regulations have put in place measures to determine beneficial owners in respect of entities. For example, the particulars of every member and every representative of a close corporation must be obtained. In respect of a company the particulars of its manager and representatives must be provided as well as the particulars of its major shareholders who are able to exercise more than 25% of the votes at a general meeting of the company. In respect of trusts, the identity of the founder, beneficiaries and trustees must be established. The Act is currently being amended to include due diligence requirements for ultimate beneficial ownership; we expect these amendments to be promulgated during 2016.
The FICA Guidance note 3A states that accountable institutions should follow a risk-based approach to customer due-diligence. Clients are given a risk-rating based on various risk factors. High-risk client types, high risk transactions and services warrant enhanced due diligence procedures. Enhanced due diligence is also recommended when the client is identified as a PEP; when non-face-to-face verification is undertaken, if the client is a correspondent bank, money service business, intermediary or an employee account.
Guidance from the FIC defining PEPs stipulates that the bank should conduct enhanced due diligence specifically on PEPs, persons acting on their behalf as well as their families and close associates. The Wolfsberg principles as well as the FATF recommendations are referred to for additional guidance on how to recognise and deal with a PEP. In addition to performing customer due diligence measures, banks should put in place appropriate risk management systems to determine whether a customer, a potential customer or the beneficial owner is a PEP. The Act is currently being amended to include an enhanced definition of PEPs; we expect these amendments to be promulgated during 2016.
The FIC guidance notes provide that banks should pay particular attention when continuing relationships with correspondent banks located in jurisdictions that have poor KYC standards or have been identified by FATF as being “non co-operative”. The Wolfsberg principles are referred to which set out the following risk indicators that a Bank shall consider, to ascertain the level of due diligence it will undertake, namely the correspondent banking client’s domicile, ownership and management structures and business and customer base.
The FIC guidance notes provide that banks should refuse to enter into or continue a correspondent banking relationship with a bank incorporated in a jurisdiction in which it has no physical presence and which is unaffiliated with a regulated financial group (i.e. shell banks).
The FICA Regulations and guidance notes provide for instances in which client information is obtained in a non face-to-face situation. In such cases, banks “must take reasonable steps” to confirm the existence of the client and to verify the identity of the natural person involved, for example, receipt of faxes. In accepting business from non face-to-face customers banks should apply customer identification procedures to non face-to-face customers that are as effective as those that were applied to customers who were available for interview; there must be specific and adequate measures to mitigate the higher risk. Decisions concerning the additional steps to be taken in cases of a non face-to-face situation should be based on a bank’s risk framework.
Financial Intelligence Centre (“FIC”)
Yes, the FICA has additional reporting requirements as contained within its Regulations. These are: a) Regulation 22A: Information to be reported concerning property associated with terrorist and related activities; and b) Regulation 22B: Cash threshold reporting.
Cash transactions below ZAR24,999 (approx. USD1,560) do not need to be reported as per the terms of Regulation 22B. However, suspicious transactions do not have de-minimis thresholds. The FICA makes provision for conveyance of cash to or from the Republic (section 30) and for electronic transfers of money to and from the Republic, these amounts have however not as of yet come into effect.
Not reporting within the required time period may lead to a maximum imprisonment of six months and/or a ZAR100,000 (approx. USD6,260) fine. Penalties for not reporting a suspicion or tipping off may lead to a maximum 15 years imprisonment and/or a ZAR10m (approx. USD625,960) fine. These can be imposed on an individual within an accountable institution.
Once a suspicious transaction has been reported, section 33 of the FICA allows an accountable institution to continue with the relationship/transaction unless directed otherwise by the FIC. This is confirmed by Guidance Note 4 on Suspicious Transaction Reporting, issued by the FIC on 14 Mar2008.
No. South African law only applies within the borders of the country.
No such requirement is in place.
yes. POPI is intended to protect the integrity and sensitivity of private information. In response, entities operating in sectors that request personal particulars – such as financial services or telecommunications – will be required to carefully manage the data capture and storage process
entities operating in sectors that request personal particulars – such as financial services or telecommunications – will be required to carefully manage the data capture and storage process
There are prohibitions on the transfer of certain information outside the Republic with a few exceptions e.g. the data subject consents to the transfer; the recipient of the information is subject to a law, binding code of conduct or contract, etc. Section 25 prohibits the processing of information related to a: a) child who is subject to parental control in terms of the law; or b) data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour.
2015, 2009
An Identity Card (ID), is issued at age 16 to all citizens; and permanent residents.
The law excludes long-term leases; transfers of property; the execution, retention and presentation of wills; and bills of exchange.
As long as the parties consent to electronic signatures per Section 13. Summary of law South Africa generally follows the EU Directive on Electronic Signatures. It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case. Consent is the prerequisite for allowing electronic signatures. However, according to Section 13(5) of the Electronic Communications and Transactions Act, if the parties have not agreed on a specific type of electronic signature, as long as there is a) a method to identify the person and to indicate the person’s approval of the information communicated; and b) the method is reliable and appropriate for the purpose for which the information was communicated, electronic signatures are also legal, admissible and enforceable in South Africa.
The main amendments to FICA do not detract from the original AML requirements but rather clarify areas in the law. The purpose of the amendments are inter alia to clarify the roles and responsibilities of supervisory bodies; authorise the Financial Intelligence Centre and supervisory bodies to conduct inspections; to provide for administrative sanctions and to make further provision for offences. Guidance Note 3A, issued in Mar 2013; rendered Guidance notes authoritative in nature, thus ensuring that accountable institutions adopt a risk based approach and take heed of High Risk clients and enhanced due diligence requirements for these.
Casinos - National Gambling Board, Real Estate - Estate Agency Affairs Board, Attorneys - Law Society
Yes, although the FICA, 38 of 2001 and the regulations do not expressly make reference to a risk-based approach, it is covered in Guidance Note 1 issued by the FIC in Ap 2004 and reinforced by Guidance Note 3A issued in Mar 2013. Guidance Notes were declared to be authoritative in nature at this date and therefore accountable institutions are expected to apply a risk-based approach inter alia in respect of customer relationships. The Act is currently being reviewed to incorporate a risk-based approach; we expect the amended Act to be promulgated during in 2016.
Although the FICA stipulates that a record must be kept of the identity document, it does not specify the requirements pertaining to authentication. In terms of the guidance notes and best practices, it would be sufficient to review the original identity document and to obtain a copy of a document which is either certified by a Commissioner of Oaths; or where the original has been sighted by an employee of the accountable institution, and an indication of such is made on the copy. Guidance is also provided on non face-to-face verification by the FIC. Where non face-to-face verification is accepted as a means, the verification methods used must be as effective as those that are applied to customers who are available for an interview.
There are prohibitions on the transfer of certain information outside the Republic, but none we are aware of in respect of transfer of information into the Republic.
No. However, in terms of case law, the confidentiality of customer information is considered a qualified legal right that can be overridden by greater public interest.