Identification vs verification
When taking on a client, an institution must “establish and verify” the identity of the client; of anyone the client is acting for; and of anyone acting for the client — plus, in the latter two cases, the authority to act (FIC Act s 21(1)(a)–(c)).
Establishing (identifying) means collecting identity information — usually from the client: full names, date of birth, and a government-issued identifying number. The FIC expects these basic attributes in every case (GN 7A para 85).
“Verification of the client’s identity entails that the accountable institution corroborates the person’s identity information by comparing this information with information contained in documents or electronic data issued or created by reliable and independent third-party sources.”
So verification is a comparison exercise: the claimed identity versus an independent source. Anything generated by the client — a CV, a letterhead, a self-declaration — does not count as such a source (GN 7A para 87).
Reliable, independent sources
Government-issued or government-controlled sources give the highest confidence, and the FIC says institutions should use them as far as practicable. They include the smart ID card, the older ID book, passports, driver’s licences, asylum-seeker and refugee permits, work permits and visas — and the underlying government databases themselves (GN 7A para 88). The guidance names corroborating sources by example: records of the Department of Home Affairs, the CIPC, SARS, eNaTIS and the Master of the High Court (GN 7A paras 89 and 94).
Electronic and biometric verification
Corroboration may be documentary or electronic — the FIC actively encourages electronic verification against multiple third-party data sources. No provision says a human must confirm that the person in the photo is the person in front of them: in face-to-face onboarding, comparing the photograph is an obvious and widely adopted corroboration step — but it is an RMCP choice, and online institutions lawfully achieve the same outcome with biometric matching against Home Affairs records instead. “Non-face-to-face” onboarding is treated in the guidance simply as a risk factor to manage, not a prohibition (GN 7A paras 82–91).
How much verification is enough?
After applying its processes, the institution “should have confidence that it knows who the client is with sufficient certainty given the accountable institution’s risk assessment pertaining to that client engagement”.
Risk calibrates depth. Lower-risk clients may receive simplified due diligence (less information, lighter corroboration); higher-risk clients must receive enhanced due diligence (more information, stronger corroboration, closer scrutiny). Foreign politically exposed persons always trigger enhanced measures; domestic ones do when the relationship is higher-risk (FIC Act ss 21F–21G, 42(2)(m); GN 7A paras 56–58).
Outsourced checks: accountability stays
Institutions using electronic verification providers remain fully responsible for the result — outsourcing the check does not outsource the accountability (GN 7A para 90; PCC 12A). For the customer this is invisible; for the institution it is why “the bureau got it wrong” is never a defence.
Worked example: fully online onboarding
Worked example — no branch, no paper
Bongani opens a bank account in an app. He types his ID number and personal details, photographs his ID card, and takes a selfie. The bank’s systems match the selfie to the ID photo biometrically and corroborate his details against Home Affairs data through a licensed provider, plus two further data sources.
Equally compliant — arguably stronger than a branch visit. Electronic data from reliable, independent sources is expressly endorsed for verification (GN 7A paras 89 and 91), and no face-to-face contact is required by law. The bank remains accountable for its provider’s accuracy (GN 7A para 90).
Frequently asked questions
Yes. Electronic data from reliable, independent sources is expressly endorsed for verification (GN 7A paras 89 and 91), and no face-to-face contact is required by law. “Non-face-to-face” onboarding is treated in the guidance simply as a risk factor to manage, not a prohibition.
No. Checking the ID number against the Department of Home Affairs database is one good method — an example in the guidance, encouraged but nowhere mandated. An institution may instead rely on inspecting the ID document, a credit-bureau or third-party data check, or a combination, depending on risk.
Anything generated by the client themselves: a CV, a letterhead, a self-declaration. Verification is a comparison against an independent source (GN 7A para 87).
Risk calibrates depth: lower-risk clients may receive simplified due diligence; higher-risk clients receive enhanced measures. Foreign politically exposed persons always trigger enhanced due diligence; domestic ones do when the relationship is higher-risk (FIC Act ss 21F–21G; GN 7A paras 56–58).