The short answer
No statute or regulation currently in force requires a South African natural person to produce proof of residential address for FICA purposes. RMCP choice If you are asked for it — and you often will be — you are looking at the institution’s own RMCP at work, not the Act.
Where the requirement came from
Until 2 October 2017, the Money Laundering and Terrorist Financing Control Regulations prescribed the particulars to collect for a South African natural person: full names, date of birth, identity number and residential address, verified against an identification document and address corroboration (former regs 3 and 4).
On 2 October 2017 that entire chapter was repealed (GN R1062, GG 41154 of 29 September 2017). In its place came the risk-based approach: section 21(1) of the FIC Act now requires institutions to establish and verify identity “in accordance with its Risk Management and Compliance Programme”. The statutory address requirement died that day; many institutional checklists simply never caught up.
The “3 months” rule was never law
Even before 2017, no regulation specified a maximum age for an address document. The three-month figure was a good practice suggestion in the FIC’s 2005 Guidance Note 3A — guidance that has since been withdrawn. It survives today purely as institutional habit, copied from checklist to checklist.
“Address verification was a regulation only until 2 October 2017; the 3-month figure was never in the regulation at all — it was a ‘good practice’ suggestion in 2005 guidance. Today an address is an optional supplementary attribute. If asked for, it is the institution’s RMCP choice.”
The position today
Under the FIC’s current core guidance, a residential address is one of several supplementary identity attributes an institution may choose to collect and verify — alongside biometric data, place of employment, contact details and tax numbers (GN 7A para 86). What is expected in every case is far shorter: full names, date of birth and an identifying number (GN 7A para 85), corroborated against a reliable, independent source.
Why some banks still ask — and some don’t
Capitec famously dropped the proof-of-address requirement for personal accounts under its risk-based RMCP, relying instead on biometric and database verification. Other banks have kept a documentary address requirement. Both approaches are lawful: since 2017 the Act sets the outcome, and each institution’s RMCP sets the method. The variation between institutions is the clearest everyday evidence that the document lists are policy, not statute.
If you can’t produce one
Many South Africans — tenants without utility accounts, residents of informal or rural areas, adult children living at home — cannot easily produce a conventional address document. The risk-based framework was designed with this in mind: institutions have “the flexibility to use a range of mechanisms” (GN 7A para 30), and the FIC has long criticised needlessly restrictive document practices. Ask what alternatives the institution’s RMCP accepts; institutions must also give you a reasonable opportunity to comply, with a warning, before terminating (GN 7A para 135).
Company addresses
The same logic applies to juristic clients: nowhere do the current Act or Regulations require proof of address for a company, its directors or its shareholders. A company’s registered and business addresses appear in guidance merely as identity attributes an institution may use, per its RMCP (GN 7A para 98). See FICA for companies for the full picture.
Frequently asked questions
You can ask whether the institution’s RMCP accepts alternatives — many do. But if its RMCP requires address proof and you do not meet the requirement, section 21E obliges the institution to refuse the relationship or terminate it. The law does not require the document; the institution’s rulebook may.
That depends entirely on the institution’s RMCP — there is no statutory list. Commonly accepted: municipal accounts, bank statements, leases, insurance schedules, and letters from employers, accountants or tribal authorities. If the standard items don’t fit your situation, ask what alternatives the RMCP provides for.
Both are lawful. Since 2017 the depth and method of verification is each institution’s risk-based RMCP choice. One bank’s RMCP relies on biometric and database checks; another’s keeps a documentary address requirement. The difference illustrates the risk-based approach — it is not evidence that either bank is breaking the rules.
Often, yes — as one of several optional supplementary attributes an institution may choose to use alongside biometrics, place of employment, contact details and tax numbers (GN 7A para 86). Collecting the address as information is different from demanding documentary proof of it; both are RMCP choices.