For institutions

Running an Accountable Institution

Customer due diligence is only one duty in the stack. Registration, the RMCP, reporting, returns and training — with the penalty numbers that make them non-optional.

Published Last reviewed 9 min read

Legal position stated as at 11 June 2026

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer

An accountable institution must: register with the FIC (s 43B, via goAML, within 90 days of starting business); adopt and implement an RMCP — a documented, board-approved Risk Management and Compliance Programme (s 42); conduct customer due diligence per that RMCP (ss 20A–21H); keep records for five years (ss 22–24); screen and report — cash transactions of R49 999.99+ (CTRs), suspicious transactions (s 29 STRs) and targeted financial sanctions matches (s 28A); file risk and compliance returns when directed; and train staff on the RMCP (s 43). Administrative penalties reach R10 million for individuals and R50 million for firms — and sanctions are published.

Contents

Register with the FIC (goAML)

Section 43B requires every accountable institution to register with the FIC — in practice on the goAML platform, which issues an Org ID and is also where reports and returns are filed. Registration is free; the FIC expects it within 90 days of business commencing. The 2022 Schedule 1 newcomers (TCSPs, credit providers, CASPs, high-value goods dealers) are the sectors most often caught unregistered — and failure to register is independently sanctionable. Check whether Schedule 1 catches you.

The RMCP: your own rulebook

Section 42 requires a documented Risk Management and Compliance Programme — the institution’s own rulebook for how it assesses client risk, which information and documents it requires, how it verifies, when it applies enhanced due diligence, and how it reports. PCC 53 is the FIC’s dedicated guidance. Three properties matter in inspections:

  • Documented — a written programme tailored to the business, not a generic template;
  • Board-approved — approval cannot be delegated (Revised GN 7A); and
  • Implemented — a paper RMCP that staff do not follow is itself a sanctionable failure, as the attorney-firm penalty confirmed.

The RMCP is also why customer-facing document lists differ between institutions — the Act sets outcomes; the RMCP sets methods.

Reporting: CTRs, STRs and sanctions screening

  • Cash threshold reports (s 28): cash transactions of R49 999.99 or more (GN R2638 of 2022), reported on goAML within the prescribed period. “Cash” means physical currency — not EFTs or card payments.
  • Suspicious and unusual transaction reports (s 29): filed when suspicion arises, whatever the amount. The reporter’s identity is protected; tipping off the client is an offence.
  • Targeted financial sanctions (s 28A): clients must be screened against the TFS lists, with property freezes and reports on a match. Screening failures cost one law firm R3.9 million of its R7.77 million penalty.

Risk and compliance returns

Institutions must file risk and compliance returns when directed — Directives 6 and 7 of 2023 created the regime, and Directive 11 carries the current cycle (effective 1 April 2026). Non-submission of the return has been the single most common cause of FIC administrative sanctions — with legal practitioners and estate agents the worst offenders. The return is a questionnaire, not an exam; not filing it is the failure.

Training

Section 43 requires the institution to train its staff on the FIC Act and on the institution’s own RMCP. Inspections ask for the training records; “the compliance officer knows it” does not satisfy a duty that attaches to everyone who deals with clients.

What is at stake

Administratively, the FIC and supervisory bodies may impose cautions, reprimands, remedial directives, business restrictions and financial penalties of up to R10 million for a natural person and R50 million for a legal person — and sanction decisions are made public (FIC Act s 45C(3) and (11)). Criminally, failing to identify clients or to comply with the CDD duties is an offence carrying up to 15 years’ imprisonment or a fine of up to R100 million (ss 46–46A read with s 68(1)). None of this is theoretical — see the enforcement tracker for the Capitec, attorney-firm and estate-agency cases, and the FATF context that guarantees supervision is not softening.

Frequently asked questions

  • Within 90 days of starting the business (per the FIC’s own FAQ guidance on s 43B). Registration is free, runs through the goAML platform, and yields an Org ID. Failing to register is itself sanctionable.

  • A report to the FIC of any cash transaction of R49 999.99 or more (GN R2638 of 2022), filed on goAML within the prescribed period. Late CTRs featured prominently in the Capitec sanction. Card and EFT payments are not “cash” for this purpose.

  • Generally yes — filing an STR does not itself require freezing the relationship, and the reporter’s identity is protected. The Revised GN 7A also recognises that ongoing due diligence may be discontinued where continuing would tip the client off about a section 29 report. Tipping off is an offence; get advice on the specific file.

  • Only if it is customised, board-approved and actually implemented. An RMCP that is not documented, approved and lived is itself a sanctionable failure — it was a central finding in the R7.77 million attorney-firm penalty, and the Revised GN 7A confirms board approval cannot be delegated.

Sources

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading

Related guides

Need more than a guide?

Talk to an attorney about FICA compliance

We advise companies, trusts and accountable institutions on customer due diligence, beneficial ownership and RMCPs — and we run this regime in our own practice every day.

Book a consultationCorporate & commercial practice
Back to the FICA hub