They may ask for more than the Act
The single most useful thing to understand about a FICA request: the institution’s RMCP is its legal compliance instrument, and section 21E obliges it to refuse or end the relationship if its requirements are not met. “But the Act doesn’t require proof of address” is true — and beside the point if the institution’s RMCP requires it. Arguing the statute with a consultant gets you nowhere; the productive question is what else their rulebook accepts.
You do have room to engage
The risk-based framework encourages flexibility, and the FIC has long criticised needlessly restrictive document practices. If you cannot produce a particular document, ask what alternatives the institution accepts — many RMCPs provide for them (GN 7A para 30). And institutions must give you a reasonable chance to comply, with a warning, before terminating:
The client should get a reasonable opportunity to fix the problem and be told the consequences before termination. But an institution that waives its own RMCP requirements is breaking the law — which is why “can’t you just skip the FICA?” is never a lawful option.
Expect differences and repetition
Different institutions lawfully ask for different things — each discharges its own duty through its own RMCP (s 42). And being asked again over time is the ongoing-due-diligence duty at work, not a records failure: client information must be kept up to date, and due diligence repeated when doubts arise (ss 21C(1)(b), 21D). If the repetition seems excessive, the frequency is set by the RMCP — worth asking about, but not unlawful.
POPIA protects your information — it is not an opt-out
Institutions may only collect what their FICA compliance requires and must protect it under POPIA. But POPIA is not a basis to refuse FICA: processing personal information to comply with FICA is lawful, and the FIC’s position is that FICA provides the legal justification under POPIA (PCC 22A). Refuse, and the institution must decline or end the relationship (s 21E). The protective edge POPIA does give you: collection must stay proportionate to your actual risk profile — blanket maximal collection from every client regardless of risk is an over-reach.
How long they keep your information
Customer due diligence records must be kept for at least five years after the business relationship or transaction ends (FIC Act ss 22–23). A deletion request inside that window runs into the statutory retention duty — another place where FICA supplies the POPIA justification.
Suspected the request isn’t legitimate at all? The FIC never contacts the public to demand fees or documents — see FICA scams.
Frequently asked questions
No. The institution’s RMCP is its legal compliance instrument, and section 21E obliges it to refuse or end the relationship if its requirements are not met. “But the Act doesn’t require proof of address” is true — and beside the point if the institution’s RMCP requires it. Your leverage is in asking what alternatives the RMCP accepts, not in disputing the requirement.
Each accountable institution carries its own statutory duty; nothing makes one institution’s due diligence binding on another. An RMCP may allow reliance on another institution’s checks, but responsibility stays with the relying institution (FIC Act s 21; PCC 12A) — so most simply verify afresh.
No. Processing personal information to comply with FICA is lawful; the FIC says FICA provides the legal justification under POPIA (PCC 22A). Refuse, and the institution must decline or end the relationship (s 21E). POPIA does, however, require the collection to stay proportionate to your actual risk profile.
Ask what alternatives the institution accepts — many RMCPs provide for them, and the risk-based framework was designed partly for financial inclusion (GN 7A para 30). Institutions must also give you a reasonable chance to comply, with a warning, before terminating (GN 7A para 135).