There is no list — since 2 October 2017
Until 2 October 2017, the Money Laundering and Terrorist Financing Control Regulations prescribed, step by step, which particulars to collect and which documents to use — for a South African natural person, full names, date of birth, identity number and residential address, verified against an “identification document” and address corroboration.
On 2 October 2017 that entire chapter of the Regulations was repealed (GN R1062, Government Gazette 41154), and the old exemptions — including Exemption 17 for low-value bank accounts — were withdrawn. In their place came a risk-based approach: the Act now says what outcome must be achieved, and each institution’s RMCP (required by section 42) says how.
An accountable institution must, in the course of a business relationship or single transaction, establish and verify the identity of the client “in accordance with its Risk Management and Compliance Programme”.
The FIC’s core guidance spells out the consequence: institutions “now have the flexibility to choose the type of information by means of which it will establish clients’ identities and also the means of verification”, with the nature and extent of verification determined by the assessed money-laundering risk (GN 7A paras 74 and 84).
The single most important point
Since 2 October 2017 there has been no statutory list of “FICA documents”. The Act says what outcome must be achieved — know your client with confidence proportionate to the risk — and each institution’s RMCP says how. That is why two banks lawfully ask for different things, and why an institution may lawfully ask for more than the Act itself mentions. The document lists you see are institutional policy, not legislation.
What must always be collected
The Act uses two distinct verbs: an institution must “establish and verify” identity (s 21(1)). Establishing means collecting identity information; verifying means corroborating it. The FIC expects these basic attributes in every case (GN 7A para 85):
- full names;
- date of birth; and
- a government-issued identifying number — for South Africans the ID number, for foreign nationals a passport or permit number.
That short list FIC guidance is the whole of what is expected in every case. Everything beyond it is calibrated to risk by the institution’s RMCP.
What counts as a reliable, independent source
Verification is a comparison exercise: the claimed identity against an independent source. Anything generated by the client — a CV, a letterhead, a self-declaration — does not count (GN 7A para 87).
“Verification of the client’s identity entails that the accountable institution corroborates the person’s identity information by comparing this information with information contained in documents or electronic data issued or created by reliable and independent third-party sources.”
Government-issued or government-controlled sources give the highest confidence: the smart ID card, the older ID book, passports, driver’s licences, asylum-seeker and refugee permits, work permits and visas — and the underlying government databases themselves (GN 7A para 88). Corroboration may be documentary or electronic: the FIC actively encourages electronic verification against records of Home Affairs, the CIPC, SARS, eNaTIS and the Master of the High Court (GN 7A paras 89 and 94).
What the law does NOT prescribe
Because the method is left to each institution’s RMCP, none of the following is required by the Act or the Regulations:
| Commonly demanded | Actual status | The position |
|---|---|---|
| A Home Affairs check | RMCP choice | One good method — encouraged in guidance, mandated nowhere. Inspecting the ID document or a third-party data check can serve instead, depending on risk. |
| A physical photo-to-face comparison | RMCP choice | No provision requires a human to compare the photo. Online institutions lawfully use biometric matching against Home Affairs records instead; non-face-to-face onboarding is a risk factor to manage, not a prohibition. |
| Certified copies / originals / wet ink | RMCP choice | The Act is silent on all of these. Guidance asks only that verification use a reliable, independent source — as far as possible the original source of the information. |
| Proof of residential address | RMCP choice | Since 2017, merely one optional supplementary attribute an institution may choose to use. Not a baseline legal requirement — see the dedicated guide. |
(GN 7A paras 86–94; FIC Act s 42(2)(d).) For the address question in full — including where the “not older than 3 months” rule came from — see Is proof of address a FICA requirement?
Why every institution’s list is different
Each accountable institution carries its own statutory duty, discharged through its own RMCP. One bank’s RMCP may accept a biometric match in an app; another’s may insist on certified copies and a branch visit. Both are lawful. That is also why being “FICA’d” at one institution does not carry over to the next — nothing makes one institution’s due diligence binding on another (FIC Act s 21; PCC 12A).
The flip side: once an institution’s RMCP requires something, the institution is obliged to enforce it. An institution that waives its own RMCP requirements is breaking the law — which is why “can’t you just skip the FICA?” is never a lawful option (GN 7A para 135; FIC Act s 21E).
Worked example: a walk-in client
Worked example — face-to-face
Naledi mandates an estate agency to sell her house. The agency’s RMCP classifies ordinary residential sellers as lower-risk and requires: full names, date of birth and ID number, verified against her smart ID card, with the consultant comparing the photo and particulars; for sellers flagged higher-risk, an additional electronic check against third-party databases.
That is fully compliant. The Act required the agency to establish and verify her identity per its RMCP (s 21(1)); the ID card is a government-issued source (GN 7A para 88). No proof of address, no certified copies and no Home Affairs call are legally required — if the agency asks for them anyway, that is its RMCP choice, which it is entitled (indeed obliged) to enforce.
What about people without standard documents?
The risk-based approach was designed partly for financial inclusion: institutions have “the flexibility to use a range of mechanisms to establish and verify the identities of their clients”, bringing previously excluded people into the formal economy (GN 7A para 30). An RMCP may make sensible provision for clients who cannot produce conventional documents — if you cannot produce a particular document, ask what alternatives the institution accepts. Even under the old pre-2017 rules, the FIC criticised institutions for being needlessly restrictive about address documents (GN 3A, withdrawn).
Frequently asked questions
No. The prescriptive identification regulations were repealed with effect from 2 October 2017 (GN R1062). Since then, section 21(1) of the FIC Act requires each institution to establish and verify identity “in accordance with its Risk Management and Compliance Programme” — its own documented rulebook. The document lists you see are institutional policy, not legislation.
The Act and Regulations are silent on certification, original sightings and wet-ink forms. FIC guidance asks only that verification use a reliable, independent source. If an institution requires certified copies, that is its RMCP choice — lawful, and the institution is entitled to enforce it.
No ID format is prescribed. The smart ID card, the older green book, passports, driver’s licences, asylum-seeker and refugee permits, and even the underlying government databases are all acceptable sources (GN 7A para 88). Electronic data from reliable, independent sources is expressly endorsed.
Yes. An institution’s RMCP is its legal compliance instrument, and section 21E obliges it to refuse or end the relationship if its requirements are not met. “But the Act doesn’t require proof of address” is true — and beside the point if the institution’s RMCP requires it. You can, however, ask what alternatives the RMCP accepts.
Ongoing due diligence is a statutory duty: information must be kept up to date (FIC Act ss 21C, 21D), and due diligence must be repeated when doubts arise. The frequency is set by each institution’s RMCP — so being asked again over time is the law working, not a records failure.