Regulatory Compliance · South Africa
FICA & POPIA Compliance
The two regulatory regimes most South African businesses must get right — explained plainly, backed by the actual words of the law.
What we cover
Two compliance regimes, in plain language
Each links to a comprehensive hub backed by the Act, the Regulations, and the Regulator’s guidance.
FICA
The Financial Intelligence Centre Act — who must comply, customer due diligence, beneficial ownership, the documents you actually need, the Risk Management and Compliance Programme, and enforcement. FICA without the myths.
Explore the hubPOPIA in Plain Language
The Protection of Personal Information Act explained — when it applies, the eight conditions for lawful processing, consent and legitimate interests, direct marketing (s 69), operators, cross-border transfers, breaches, and the fines.
Explore the hubFrequently Asked Questions
Compliance questions
- What is the difference between FICA and POPIA?
- FICA (the Financial Intelligence Centre Act) is anti-money-laundering law: it requires “accountable institutions” to know their clients, verify identity and beneficial ownership, keep records and report suspicious activity. POPIA (the Protection of Personal Information Act) is data-protection law: it governs how any responsible party may lawfully collect, use, store and share personal information. Many businesses must comply with both. See FICA and POPIA.
- Does my business have to comply with FICA?
- Only “accountable institutions” listed in Schedule 1 to the Act must comply — including attorneys, estate agents, banks, and dealers in high-value goods, among others. The FICA hub sets out exactly who must comply and what each institution must do.
- When does POPIA apply?
- POPIA applies whenever a responsible party, domiciled or using means in South Africa, processes personal information — subject to limited exclusions. It is not limited to big companies. The POPIA hub explains when it applies and the eight conditions for lawful processing.
- What are the penalties for non-compliance?
- Both regimes carry real consequences — administrative penalties, and in serious cases criminal liability. The POPIA hub details the Information Regulator’s enforcement and fines; the FICA hub covers the Financial Intelligence Centre’s enforcement powers.
Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration 17444.
This page is general information, not legal advice for your specific matter.
Next step
Need to get FICA or POPIA right?
From a compliance health-check to a full programme, get practical advice grounded in the Acts — not box-ticking.
For the businesses we act for
The Keystone Workspace
The attorney-designed platform the businesses we act for use to run their contracts, e-signatures and company secretarial work in one place.