The FICA hub

FICA without the myths

Almost everyone in South Africa has been FICA’d. Very few people — including many who do the FICA-ing — can say what the law actually requires. This hub can, with the sources to prove it.

Legal position stated as at 11 June 2026

  • Every statement cited to the Act or FIC guidance
  • Written by a practising attorney
  • Updated when the law changes — not when it’s convenient
What documents do I actually need?Twelve myths, corrected
On this page

What FICA is — and is not

The Financial Intelligence Centre Act 38 of 2001 (“FICA” or “the FIC Act”) exists to identify the proceeds of crime and to combat money laundering, terrorist financing and — since the 2022 amendments — the financing of weapons-of-mass-destruction proliferation. It works by making certain businesses (“accountable institutions”) the front line: they must know who their clients are, keep records, report certain transactions to the Financial Intelligence Centre, and manage their exposure to abuse through a documented, risk-based programme.

The FIC itself is a government intelligence unit. It receives reports and develops financial intelligence for investigators and prosecutors. It does not investigate or prosecute crime itself, it does not freeze ordinary customers’ accounts, and it never demands fees or payments from members of the public — emails demanding a “FICA fee” or “release payment” are scams and can be reported to scams@fic.gov.za. See FICA scams.

Who must comply

Only the institutions listed in Schedule 1 to the Act carry FICA duties. The list was substantially rewritten with effect from 19 December 2022 and now covers, among others: legal practitioners and trust/company service providers; estate agents (property practitioners); banks; life insurers; financial services providers; foreign-exchange and money transfer providers; gambling licensees; credit providers; crypto asset service providers; and dealers in high-value goods for any transaction of R100 000 or more — which is how motor vehicle and Krugerrand dealers are now caught.

If a business is not in Schedule 1, FICA’s customer due diligence duties do not apply to it at all — whatever its own forms may say. The full Schedule 1 list, explained.

When the duties are triggered

Customer due diligence is triggered when an accountable institution enters into a business relationship (an ongoing arrangement — a bank account, a mandate, an attorney-client engagement) or concludes a single transaction of R5 000 or more (FIC Act s 1; reg 1A). Below R5 000, full due diligence is not required for a once-off transaction — but an institution may never deal with an anonymous client or one using an apparently false name (s 20A).

The 2017 change that explains almost everything

Until 2 October 2017, regulations prescribed exactly which documents to collect. On that day the prescriptive chapter was repealed (GN R1062) and replaced with a risk-based approach:

What the source says
Every institution must establish and verify identity “in accordance with its Risk Management and Compliance Programme” (RMCP) — its own documented rulebook, required by section 42.
FIC Act s 21(1)About this instrumentOfficial source

That is why there is no official list of FICA documents, why two banks lawfully ask for different things, why proof of address is policy rather than law, and why an institution may lawfully ask for more than the Act itself mentions — and must then enforce its own rules. Most FICA myths are fossils of the pre-2017 regime. Twelve of them, corrected.

If you are being FICA’d

Start with what documents FICA actually requires and the proof-of-address question. If something has gone wrong — an account on hold, a frozen card — see FICA holds and freezes. Your negotiating room, the repetition question and the POPIA myth are covered in your rights when asked for FICA.

If your company is being FICA’d

The company FICA pack guide separates the four things the Act requires from the lever-arch file the checklist demands. The beneficial-ownership cascade shows where the document chain legally stops, the threshold guide settles 25% vs 5%, and CIPC BO vs FICA untangles the two regimes that share one name. Trusts and partnerships have their own guide.

If you run an accountable institution

Check whether Schedule 1 catches you (car dealers and crypto providers: since December 2022 it probably does), then see registration, the RMCP and the reporting duties and what enforcement actually looks like — from Capitec’s R56.25 million sanction to the R7.77 million attorney-firm penalty. Sector guides: estate agents, attorneys, car dealers and crypto.

Everything cited across the hub is collected, dated and linked in the FICA source library, with a glossary and a timeline for orientation.

This hub is general information, not legal advice. Accountable institutions must apply their own Risk Management and Compliance Programmes; speak to a professional adviser about your specific circumstances.

The FICA library · 22 guides

Explore the hub

Every FICA question — from “what documents do I need” to beneficial-ownership cascades — answered in plain language and cited to the Act itself. Start anywhere.

Verification & documents

Companies & ownership

For customers

For institutions

Sector guides

Reference

Common questions

Frequently asked questions

  • FICA is the Financial Intelligence Centre Act 38 of 2001 — South Africa’s anti-money-laundering law. It makes certain businesses (“accountable institutions”) the front line: they must know who their clients are, keep records, report certain transactions to the Financial Intelligence Centre, and manage risk through a documented programme. When a bank “FICAs” you, it is discharging these duties.

  • There is no statutory list — and there hasn’t been since 2 October 2017. In practice you will always be asked for full names, date of birth and your ID (or passport) number, verified against a reliable independent source. Everything else — proof of address, certified copies — is the institution’s own policy choice. Full guide.

  • Not by law — not since 2 October 2017, and the “3 months” rule was never law at all. If an institution asks, that is its own RMCP choice, which it may lawfully enforce. Full guide.

  • Each accountable institution carries its own statutory duty; nothing makes one institution’s due diligence binding on another (FIC Act s 21; PCC 12A). Being asked again over time by the same institution is also lawful — keeping client information up to date is a statutory duty (ss 21C, 21D).

  • Neither number is in the Act. The 25% was guidance from 2017, deleted in September 2025; the FIC’s current position (PCC 59, August 2024) strongly recommends treating 5%+ as a controlling ownership interest. The full dated timeline.

  • No. Processing personal information to comply with FICA is lawful — FICA itself provides the justification under POPIA (PCC 22A). If you refuse, the institution must decline or end the relationship (s 21E). Your rights, in full.

Need more than a guide?

Talk to an attorney about FICA compliance

We advise companies, trusts and accountable institutions on customer due diligence, beneficial ownership and RMCPs — and we run this regime in our own practice every day.

Book a consultationCorporate & commercial practice