KYC, KYB & AML compliance checklist
South Africa KYC, KYB & AML
A general FIC Act implementation baseline for Schedule 1 accountable institutions, with fintech and crypto-asset notes. It is not a complete sector checklist; banks, payment businesses, financial services providers, insurers, CASPs and other institutions must also apply their Prudential Authority, FSCA, SARB, FIC or other sector requirements.
- Reviewed
- 15 July 2026
- Version
- 1.0
- control areas
- 7
- implementation checks
- 49
Direct answer
What does the South Africa compliance checklist cover?
The South Africa checklist translates primary KYC, KYB and AML rules into 7 control areas and 49 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Registration
- FIC goAML within 90 days of operations
- Core framework
- FIC Act and Schedule 1
- Record retention
- Generally 5 years
- Suspicion reporting
- Without delay; no later than 15 days
Implementation detail
South Africa compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Applicability and governanceConfirm accountable-institution status and make the risk-based compliance programme operational and accountable.6 items+
Map Schedule 1 status
- Implementation action
- Map each service and product against Schedule 1 of the FIC Act. Do not infer accountable-institution status from the fintech label alone; record the activity, item number, license and any exclusions.
- Evidence to retain
- Accountable-institution and licensing assessment
- Primary citation
- FIC Act, Schedule 1
Identify every supervisor
- Implementation action
- Map every activity to its Schedule 1 item and Schedule 2 supervisory body. The FSCA supervises items 4, 5 and 12. SARB acts through the Prudential Authority for items 6, 7, 7A, 8, 19 and 23; through Financial Surveillance for items 10, 13 and 19; and through its other statutory functions for item 23. The FIC directly supervises listed sectors including items 1, 2, 3, 9, 11, 14, 20, 21 and 22 and where no other supervisory body applies. A CASP conducting item 22 activity is accountable to the FIC; if it also provides crypto-asset advice or intermediary services, item 12 FSCA licensing and coordinated oversight may also apply.
- Evidence to retain
- Schedule-item, license and supervisor register
- Primary citation
- FIC Act, Schedules 1-2; FIC supervision mapping
Register under every applicable item
- Implementation action
- Register through goAML within 90 days after commencing business as an accountable institution under every applicable Schedule 1 item. Notify the FIC in writing of changes to registration particulars within 90 days.
- Evidence to retain
- FIC registrations and change log
- Primary citation
- FIC Act, s.43B; FIC registration notice
Keep accountability at the highest level
- Implementation action
- The board, senior management or other person or group exercising the highest authority must approve the RMCP. The board of a legal person, or senior management where there is no board, remains accountable for institutional and employee compliance. A legal person must maintain a compliance function and assign a person with sufficient competence and seniority to ensure its effectiveness; ultimate accountability is not an operational task that can be delegated away.
- Evidence to retain
- Approval, appointment, mandate and governance minutes
- Primary citation
- FIC Act, s.42A
Maintain an operational RMCP
- Implementation action
- Develop, document, maintain, implement and regularly review the RMCP. Address every section 42 component or document why it is not applicable, make the RMCP available to relevant employees and provide it to the FIC or supervisor on request. Cover institutional risk, CDD, BO, TFS, PEP, monitoring, reporting, records, training and governance.
- Evidence to retain
- Approved RMCP mapped to actual controls
- Primary citation
- FIC Act, s.42; Revised GN 7A
Apply the sector overlay
- Implementation action
- Add applicable PA, FSCA, SARB, exchange-control, payment, insurance, credit, CASP or professional-sector requirements and resolve differences in favor of the binding rule.
- Evidence to retain
- Sector-overlay matrix
- Primary citation
- Applicable sector law and supervisor guidance
02KYC for natural personsEstablish and verify identity using methods proportionate to risk and documented in the RMCP.6 items+
Prohibit anonymous or fictitious clients
- Implementation action
- Do not establish a business relationship or conclude a single transaction with an anonymous client or a client using an apparent false or fictitious name.
- Evidence to retain
- Onboarding rule and exception report
- Primary citation
- FIC Act, s.20A
Establish the client's identity
- Implementation action
- Collect sufficient identity particulars for the customer type and risk, including full legal name, date of birth, identification number or passport details, nationality, address and contact information as defined by the RMCP and applicable sector rule.
- Evidence to retain
- Completed customer profile
- Primary citation
- FIC Act, s.21; RMCP
Verify identity reliably
- Implementation action
- Verify identity using reliable independent sources and methods defined in the RMCP, documenting authenticity checks, exceptions and the basis for any non-face-to-face approach.
- Evidence to retain
- Verification result and audit trail
- Primary citation
- FIC Act, s.21; GN 7A
Verify representatives and underlying clients
- Implementation action
- Where a person acts for another, establish and verify the representative and the person on whose behalf they act, and confirm authority.
- Evidence to retain
- Authority evidence and relevant KYC files
- Primary citation
- FIC Act, ss.21 and 21B
Understand purpose and source of funds
- Implementation action
- Record the nature and intended purpose of the relationship, expected activity and source of funds expected to be used.
- Evidence to retain
- Purpose and expected-activity profile
- Primary citation
- FIC Act, s.21A
Resolve failed CDD
- Implementation action
- If required CDD cannot be completed, do not establish the relationship, conclude or give effect to the transaction, or continue the relationship; terminate according to the RMCP and consider a section 29 report.
- Evidence to retain
- Decline or exit and reporting decision
- Primary citation
- FIC Act, s.21E
03KYB for legal persons and arrangementsVerify the entity and authority, then identify the natural persons who ultimately own or control it.7 items+
Verify legal existence and status
- Implementation action
- Obtain and independently verify the registered name, registration number, legal form, status, governing documents and registered address through CIPC or another reliable registry.
- Evidence to retain
- Current registry result and formation documents
- Primary citation
- FIC Act, ss.21 and 21B; RMCP
Understand activity and financial profile
- Implementation action
- Record the business activity, operating address, expected products, transaction volumes, counterparties, geographies and source of funds.
- Evidence to retain
- Business and expected-activity profile
- Primary citation
- FIC Act, s.21A
Verify authority and required connected persons
- Implementation action
- Establish and verify every person acting for a client or on whose behalf a client acts, and confirm authority. Identify and take reasonable steps to verify all natural-person beneficial owners under section 21B. Obtain director and controller information needed to understand the structure, but verify additional directors or controllers only where they are representatives, beneficial owners, required by the RMCP because of risk, or covered by a sector rule.
- Evidence to retain
- Mandate, structure analysis and required KYC
- Primary citation
- FIC Act, ss.21 and 21B
Apply the beneficial-owner cascade
- Implementation action
- Identify natural persons exercising controlling ownership, then control through other means, and only where no such person can be identified after reasonable measures, the person exercising control over management.
- Evidence to retain
- Ownership and control chart with BO rationale
- Primary citation
- FIC Act, s.21B; PCC 59
Use 5% as a control indicator, not a safe harbor
- Implementation action
- PCC 59 strongly recommends identifying persons with 5% or more ownership interest, but the AML test remains control-based. Do not stop where lower ownership, agreements, voting rights or other means create control.
- Evidence to retain
- Threshold and other-control analysis
- Primary citation
- PCC 59, paras. 2.18-2.19
Check CIPC BO information
- Implementation action
- Compare customer declarations with available CIPC BO and securities information. Newly incorporated entities must file BO information within 10 business days after incorporation and amended information within 10 business days after a change. CIPC applies a 5% minimum threshold with broader effective-control indicators; declarations and the applicable securities or beneficial-interest register are also filed annually with the annual return within 30 business days after the incorporation anniversary. Do not treat CIPC information or 5% ownership as conclusive for AML CDD.
- Evidence to retain
- CIPC result, discrepancy record and filing evidence
- Primary citation
- CIPC BO guidance; PCC 59
Resolve trusts and layered structures
- Implementation action
- Trace ownership and control through intermediate companies, partnerships, trusts or nominees and obtain reliable evidence for trustees, founders, beneficiaries, protectors and other controlling persons as applicable.
- Evidence to retain
- Full structure chart and arrangement documents
- Primary citation
- FIC Act, s.21B; PCC 59
04Risk assessment, PEPs and sanctionsApply the RMCP's risk methodology while treating targeted financial sanctions as a non-risk-based prohibition.8 items+
Assign and explain customer risk
- Implementation action
- Assess customer, ownership, product, service, delivery channel, geography and transaction risk under the RMCP and retain the rationale and approval.
- Evidence to retain
- Risk assessment and decision
- Primary citation
- FIC Act, s.42; GN 7A
Identify prominent persons
- Implementation action
- Determine whether customers or beneficial owners are foreign or domestic politically exposed persons or prominent influential persons, including relevant immediate family and known close associates.
- Evidence to retain
- PEP/PIP result and relationship mapping
- Primary citation
- FIC Act, ss.21F-21G and Schedules 3A-3C
Apply risk-specific prominent-person controls
- Implementation action
- For foreign PEPs, obtain senior approval, establish source of wealth and funds and enhance monitoring. Apply those measures to domestic PEPs and prominent influential persons where the relationship is higher risk.
- Evidence to retain
- Approval, source analysis and monitoring plan
- Primary citation
- FIC Act, ss.21F-21G; PCC 51
Screen UN and domestic designations
- Implementation action
- Scrutinise prospective and existing clients, beneficial owners, representatives, persons on whose behalf clients act and transaction parties against the current FIC-hosted UN Security Council TFS list and applicable section 23 POCDATARA court orders. Screening is mandatory regardless of customer risk and must occur at onboarding, during the relationship and whenever designations or orders change.
- Evidence to retain
- Time-stamped list and order screening with match decision
- Primary citation
- FIC Act, ss.26A and 28A; POCDATARA, s.23; PCC 44A
Freeze and prohibit immediately
- Implementation action
- On a true match, immediately and without waiting for consent, another court order or prior reporting, cease all activity and freeze property in the institution's possession or control. Do not deal with, release or make property, funds, financial services or other services available to the designated person, persons acting for them or related controlled property. Lift the freeze only after delisting, a domestic order is set aside or a valid section 26C permission applies.
- Evidence to retain
- Freeze, block, non-dealing and authorization record
- Primary citation
- FIC Act, ss.26B-26C; POCDATARA; PCC 44A
File the correct TFS report
- Implementation action
- File a TPR without delay and no later than five days after awareness that the institution possesses or controls section 28A property, including attempted transactions. File a section 29 report where activity is suspicious but designation or property connection is not established as fact.
- Evidence to retain
- TPR or STR decision, filing and timeline
- Primary citation
- FIC Act, ss.28A-29; PCC 44A
Screen employees
- Implementation action
- Screen prospective and current employees for competence and integrity periodically using a documented risk-based approach. Scrutinise employee information against applicable TFS information when section 26A notices are issued. Retain the methodology and outcomes and make them available to the FIC or supervisor on request.
- Evidence to retain
- Employee-screening policy, results and review log
- Primary citation
- FIC Directive 8; PCC 55
Use adverse information proportionately
- Implementation action
- Review reliable adverse information where relevant, distinguish allegation from verified fact and record its effect on risk and approval.
- Evidence to retain
- Adverse-information disposition
- Primary citation
- RMCP risk-based control
05Enhanced due diligenceIncrease information, verification, approval and monitoring where the documented risk is higher.5 items+
Collect additional customer and BO information
- Implementation action
- Obtain further identity, ownership, business, geography and transaction information needed to understand and mitigate the higher risk.
- Evidence to retain
- EDD information pack
- Primary citation
- FIC Act risk-based framework; RMCP
Corroborate material claims
- Implementation action
- Use additional reliable sources to verify identity, legal existence, ownership, control, expected activity and explanations for unusual features.
- Evidence to retain
- Independent corroboration record
- Primary citation
- GN 7A; PCC 59
Establish source of funds and wealth
- Implementation action
- Establish and, where risk warrants, corroborate source of funds and source of wealth, including mandatory prominent-person measures.
- Evidence to retain
- Source evidence and plausibility analysis
- Primary citation
- FIC Act, ss.21A and 21F-21G
Obtain senior approval where required
- Implementation action
- Require documented approval for foreign PEP and applicable higher-risk domestic PEP or prominent-influential-person relationships and for other cases specified by the RMCP or sector rule.
- Evidence to retain
- Approval and conditions
- Primary citation
- FIC Act, ss.21F-21G; RMCP
Increase ongoing monitoring
- Implementation action
- Set tighter review cycles, transaction scrutiny, alert thresholds and escalation requirements proportionate to higher risk.
- Evidence to retain
- EDD monitoring plan
- Primary citation
- FIC Act, s.21C; RMCP
06Ongoing due diligence and fintech controlsKeep customer knowledge current, connect monitoring to the expected profile and apply technology-specific directives.9 items+
Monitor throughout the relationship
- Implementation action
- Conduct ongoing due diligence and scrutinise transactions for consistency with the institution's knowledge of the customer, business, risk profile, source of funds and expected activity.
- Evidence to retain
- Monitoring rules, alerts and case outcomes
- Primary citation
- FIC Act, s.21C
Refresh on risk and trigger events
- Implementation action
- Keep CDD and BO information current at a risk-based frequency and when ownership, authority, activity, product, geography, behavior or prior information changes.
- Evidence to retain
- Review schedule and event-driven reviews
- Primary citation
- FIC Act, ss.21C-21D; RMCP
Examine unusual activity
- Implementation action
- Investigate activity lacking an apparent lawful purpose, inconsistent with the expected profile or otherwise unusual, and preserve the rationale for reporting or closing the case.
- Evidence to retain
- Investigation notes and decision
- Primary citation
- FIC Act, s.29; GN 4B
Meet Directive 5 ATMS clocks
- Implementation action
- Where a reporter uses an automated transaction monitoring system, treat alert generation as knowledge of potentially reportable activity and begin investigating within 48 hours, excluding Saturdays, Sundays and public holidays. Submit a section 29 report as soon as possible and no later than 15 days after alert generation. Prevent backlogs, document decisions and preserve manual reporting and monitoring for system gaps.
- Evidence to retain
- Alert timeline, investigation and filing record
- Primary citation
- FIC Directive 5; PCC 45
Govern ATMS effectiveness
- Implementation action
- Assign skilled staff and responsibilities; test detection effectiveness, data integrity, scenarios, thresholds and rules; perform risk-based tuning; document and test configuration changes; obtain prior highest-authority approval for significant changes; and obtain highest-authority review and approval of ATMS effectiveness at least annually. Include the methodology and workflow in the RMCP.
- Evidence to retain
- Tests, changes, annual approval and RMCP mapping
- Primary citation
- FIC Directive 5; PCC 45
Apply Directive 9 to in-scope CASPs
- Implementation action
- Directive 9 applies to item 12 and item 22 accountable institutions acting as ordering, intermediary or recipient CASPs for domestic or cross-border crypto-asset transfers and has applied since 30 April 2025. In a business relationship, any value above zero qualifies. Ordering CASPs must transmit required originator and beneficiary information securely before or simultaneously with the transfer; use the reduced treatment only for qualifying single transactions below R5,000 and verify the originator where suspicion exists.
- Evidence to retain
- Travel-rule messages, threshold logic and exceptions
- Primary citation
- FIC Directive 9
Control counterpart CASPs and incomplete data
- Implementation action
- Conduct due diligence on counterpart CASPs, preserve required information through intermediary and recipient stages, and maintain risk-based procedures for incomplete information and unhosted wallets in the RMCP. An ordering CASP must not execute a transfer when it cannot comply with Directive 9 paragraphs 4.1 to 4.7.
- Evidence to retain
- Counterparty due diligence and transfer decisions
- Primary citation
- FIC Directive 9
Submit the 2026 risk and compliance return
- Implementation action
- Check Directive 11 scope. The 30 June 2026 deadline for item 2 trust and company service providers, item 9 casinos, item 11 non-bank credit providers, item 14 Postbank, item 21 South African Mint and item 22 CASPs is now overdue; remediate immediately if outstanding. Item 1 legal practitioners, item 3 estate agents, item 20 high-value goods dealers and item 9 non-casino gambling institutions must submit by 31 July 2026 through the prescribed platform under PCC 60 and current FIC instructions.
- Evidence to retain
- Scope assessment, submission and remediation record
- Primary citation
- FIC Directive 11; 2026 RCR notice; PCC 60
Maintain continuity across KYC and monitoring
- Implementation action
- Ensure monitoring and case decisions can retrieve the onboarding purpose, expected activity, BO structure, risk rating and prior reviews instead of treating KYC as a static file.
- Evidence to retain
- Linked customer, monitoring and case audit trail
- Primary citation
- Recommended implementation control; FIC lifecycle obligations
07Reporting, records, privacy and assuranceFile each report within its own trigger and deadline, prevent tipping off and preserve retrievable evidence.8 items+
File STRs and SARs
- Implementation action
- Section 29 applies broadly to persons carrying on, managing or employed by a business. Report suspicious or unusual transactions or activities through goAML as soon as possible and without delay, but no later than 15 days excluding Saturdays, Sundays and public holidays after awareness of the reportable fact; internal review time is included. A report does not itself stop a transaction, although a section 34 FIC intervention may prohibit continuation for up to five days.
- Evidence to retain
- STR/SAR reference and decision timeline
- Primary citation
- FIC Act, ss.29 and 34; GN 4B; FIC reporting FAQ
Prevent tipping off
- Implementation action
- Do not disclose that a section 29 report has been or will be filed or reveal its contents, and limit access to reports and investigations.
- Evidence to retain
- Access controls and communications guidance
- Primary citation
- FIC Act, ss.29 and 38
File cash threshold reports
- Implementation action
- Report physical cash received or paid of R50,000 or more as soon as possible and no later than three business days after awareness. Do not treat electronic transfers as cash and do not assume CTR filing replaces an STR or TPR.
- Evidence to retain
- CTR logic, filings and reconciliation
- Primary citation
- FIC Act, s.28; GN 5C
File IFTRs where the institution is in scope
- Implementation action
- Authorised dealers, authorised dealers with limited authority, financial services providers with a direct-reporting dispensation and Postbank must report each qualifying inbound or outbound cross-border electronic transfer of R20,000 or more. Submit as soon as possible and no later than three days excluding Saturdays, Sundays and public holidays after awareness that the transfer occurred, ordinarily when value becomes available to the beneficiary. Apply per transfer without aggregation and include qualifying Common Monetary Area transfers.
- Evidence to retain
- IFTR scope assessment, filings and reconciliation
- Primary citation
- FIC Act, s.31; GN 9
Escalate missed reports
- Implementation action
- If the institution discovers that a required CTR, TPR, STR/SAR or IFTR was not submitted, immediately notify the FIC in writing through the prescribed channel, request engagement on mitigation and continue remediating the missed report. Notification does not condone the failure, extend the original deadline or prevent enforcement.
- Evidence to retain
- FIC notification, late filing and remediation record
- Primary citation
- FIC Directive 3A
Retain retrievable records
- Implementation action
- Keep CDD records for five years after relationship termination, transaction records for five years after the transaction and section 29 reporting records for five years after submission; ensure free and easy access, legibility and prompt production.
- Evidence to retain
- Retention schedule and retrieval test
- Primary citation
- FIC Act, ss.22-24; FIC reference guide
Apply POPIA controls
- Implementation action
- Register the Information Officer, document the eight lawful-processing conditions, minimization, transparency, security safeguards, operator governance, rights, cross-border transfers, retention, impact assessments, prior authorization where required and security-compromise response. Preserve FIC Act records where legally required.
- Evidence to retain
- Information Officer record, processing register and privacy controls
- Primary citation
- POPIA; Information Regulator guidance
Train, test and remediate
- Implementation action
- Provide ongoing employee training sufficient to enable compliance with the FIC Act and RMCP. Test control effectiveness at documented intervals and remediate weaknesses. Independent assurance is a recommended implementation control unless a binding sector rule, licence condition or governance standard makes it mandatory.
- Evidence to retain
- Training, testing record and remediation log
- Primary citation
- FIC Act, s.43; RMCP

7 control areas and 49 implementation checks, with direct regulatory sources.
Download the South Africa KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked South Africa implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.0, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
22 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Financial Intelligence Centre Act booklet, current consolidated materialFinancial Intelligence Centre · primary
- Compliance obligations and supervisory scopeFinancial Intelligence Centre · primary
- Reference guide for accountable institutionsFinancial Intelligence Centre · primary
- Revised Guidance Note 7A on risk management and compliance programmesFinancial Intelligence Centre · primary
- PCC 59 on beneficial ownershipFinancial Intelligence Centre · primary
- Targeted financial sanctions obligations and listFinancial Intelligence Centre · primary
- PCC 44A on targeted financial sanctions and domestic designationsFinancial Intelligence Centre · primary
- Schedule 2 supervision and enforcement mappingFinancial Intelligence Centre · primary
- Crypto asset service provider sector obligationsFinancial Intelligence Centre · primary
- Suspicious transaction reporting periodFinancial Intelligence Centre · primary
- Cash threshold reporting obligationsFinancial Intelligence Centre · primary
- Guidance Note 9 on international funds transfer reportingFinancial Intelligence Centre · primary
- Directive 9 travel rule for crypto asset transfersFinancial Intelligence Centre · primary
- Directive 5 on automated transaction monitoring systemsFinancial Intelligence Centre · primary
- PCC 45 on implementation of Directive 5Financial Intelligence Centre · primary
- Directive 8 and PCC 55 on employee screeningFinancial Intelligence Centre · primary
- Directive 3A on failures to submit regulatory reportsFinancial Intelligence Centre · primary
- 2026 risk and compliance return deadlinesFinancial Intelligence Centre · primary
- Beneficial ownership filing guidanceCompanies and Intellectual Property Commission · primary
- POPIA compliance and Information Officer guidanceInformation Regulator South Africa · primary
- FATF increased monitoring statement, 24 October 2025Financial Action Task Force · primary
- South Africa AML Operations in 2026: Why KYC Alone Fails Under FICAVOVE ID - contextual reading · context
Direct answers
South Africa KYC, KYB and AML questions
Which South African businesses must follow the FIC Act's accountable-institution duties?+
The duties apply to the categories in Schedule 1, including specified financial institutions, financial services providers, credit providers, money or value transfer providers, high-value goods dealers and crypto asset service providers. A fintech label alone is not determinative; map the actual regulated service and Schedule 1 item.
What is required for KYC under the FIC Act?+
An accountable institution must establish and verify customer identity, understand the nature and intended purpose of the relationship and expected source of funds, identify relevant representatives and beneficial owners, apply ongoing due diligence and implement the methods in a risk-based RMCP and any sector rule.
How should beneficial ownership be determined in South Africa?+
Apply the section 21B control cascade and identify the natural persons exercising controlling ownership or control through other means. PCC 59 strongly recommends identifying persons with 5% or more ownership, but that is not a safe harbor that replaces broader control analysis. Compare customer information with CIPC BO information where available.
When must suspicious activity be reported in South Africa?+
A section 29 STR or SAR must be filed as soon as possible and without delay, but no later than 15 days excluding Saturdays, Sundays and public holidays after awareness of the reportable fact. Internal review time does not extend that period.
What are the main threshold reports?+
All accountable institutions report physical cash of R50,000 or more within three business days. Only specified institutions authorised for relevant cross-border transfers file IFTRs for R20,000 or more within three days excluding Saturdays, Sundays and public holidays. Suspicion and terrorist-property reports have separate triggers and must not be replaced by a threshold report.
Is South Africa currently on the FATF grey list?+
No. FATF removed South Africa from increased monitoring on 24 October 2025. Institutions should keep country-risk records current and continue applying their documented risk-based controls.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.0
This is a general South Africa baseline, not legal advice or a complete sector checklist. Being a fintech or technology provider does not by itself determine Schedule 1 status. Confirm the regulated activity, accountable-institution category, supervisor, product rules and current FIC directives before implementation.