How South Africa's FICA Amendment Act Changes KYC for Banks and FinTechs

What FICA Requires

Accountable Institutions

FICA defines "accountable institutions" as entities that must comply with AML/CFT obligations. The list includes banks, insurance companies, securities dealers, estate agents, motor vehicle dealers above specified thresholds, gambling institutions, attorneys, and — critically for the fintech sector — any entity that provides money lending, money transfer, or electronic funds transfer services.

The broad definition of accountable institutions means that most fintechs operating in South Africa fall within FICA's scope. Payment providers, lending platforms, crypto exchanges, and digital wallet services are all subject to FICA's customer due diligence, record-keeping, and reporting obligations.

Customer Due Diligence (CDD)

FICA's CDD requirements establish the identity verification obligations for accountable institutions. At minimum, institutions must establish and verify the identity of every customer before entering into a business relationship or executing a single transaction above the prescribed threshold.

For natural persons (individuals), CDD requires full name, date of birth, identity number (South African ID or passport number for non-citizens), residential address, and source of income for higher-risk relationships. The institution must verify these details against independent, reliable sources — typically the South African national ID database, document verification, and in some cases, biometric matching.

For legal persons (businesses), CDD requires the company name, registration number, registered address, trading address, identification of all persons authorized to act on behalf of the entity, and beneficial ownership information. This is where FICA's KYB requirements come into play.

Enhanced Due Diligence (EDD)

Enhanced due diligence applies to higher-risk customers and relationships. FICA's risk-based approach requires institutions to assess the risk posed by each customer and apply proportionate verification measures.

Higher-risk categories include politically exposed persons (domestic and foreign PEPs), customers from jurisdictions with inadequate AML/CFT frameworks (as identified by the FATF), complex or unusual transactions without apparent economic or lawful purpose, and any customer whose risk profile triggers heightened scrutiny under the institution's internal risk assessment.

EDD measures include obtaining additional identity documentation, verifying source of funds and source of wealth, conducting enhanced ongoing monitoring, and obtaining senior management approval for the business relationship.

South African Identity Documents

The South African ID Number

The South African identity number is a 13-digit numeric code that encodes the holder's date of birth, gender, citizenship status, and a check digit. It is the primary identity artifact for all financial transactions in South Africa and is issued by the Department of Home Affairs.

The ID number can be validated algorithmically — the check digit at the end confirms the number's internal consistency. Database verification confirms that the number is registered, active, and matches the provided personal details. For fintechs, real-time ID number validation is the first and most critical verification check.

Smart ID Card

South Africa is transitioning from the older green-bar-coded ID book to the new Smart ID card, which includes a chip with biometric data (fingerprints and facial image), a machine-readable zone, and enhanced security features. The Smart ID card is significantly more secure than the legacy ID book and enables chip-based verification similar to NFC passport reading.

However, the transition is ongoing. Millions of South Africans still carry the legacy green ID book as their primary identity document. Verification systems must support both document types — the old format with its limited security features and the new Smart ID with its chip-based verification capabilities.

Passport and Other Documents

For non-South African residents, the passport is the primary identity document. Work permits, temporary residence permits, and refugee identity documents are also accepted for CDD purposes, though the verification requirements are more stringent.

For address verification, South African institutions typically accept utility bills, bank statements, and municipal rate statements. The challenge in South Africa is that a significant portion of the population lives in informal settlements where traditional proof of address documents may not be available — creating a financial inclusion tension similar to the tiered KYC challenges in Nigeria and Kenya.

The Beneficial Ownership Register

FICA amendments introduced requirements for a beneficial ownership register — aligning South Africa with global trends toward corporate transparency. Companies and close corporations must identify and record their beneficial owners, and accountable institutions must obtain and verify this information as part of their KYB obligations.

The beneficial ownership threshold is generally set at 5% for listed companies and 5-25% for private companies, depending on the specific circumstances and the institution's risk assessment. This lower threshold — compared to the 25% standard in the EU and US — reflects South Africa's specific concerns about corporate opacity in a market where ownership structures can be complex and layered.

The Companies and Intellectual Property Commission (CIPC) is responsible for the beneficial ownership register. Institutions can access CIPC data for verification, though the completeness and accuracy of the register depend on companies' compliance with their filing obligations.

The Regulatory Sandbox

South Africa's Intergovernmental FinTech Working Group (IFWG) operates a regulatory sandbox that allows fintechs to test innovative products and services under regulatory supervision. The sandbox provides a controlled environment where new verification approaches — including digital onboarding, biometric authentication, and AI-powered monitoring — can be tested before full regulatory approval.

The sandbox has been instrumental in advancing digital verification in South Africa. Participants have tested video KYC, mobile-based identity verification, and automated CDD processes — generating data that informs the broader regulatory framework. For fintechs seeking to introduce verification innovations, the sandbox provides a pathway to regulatory acceptance that avoids the risk of launching a non-compliant product.

The IFWG brings together the South African Reserve Bank (SARB), the Financial Sector Conduct Authority (FSCA), the Financial Intelligence Centre (FIC), the National Credit Regulator (NCR), and the South African Revenue Service (SARS). This multi-regulator approach ensures that innovations tested in the sandbox meet the requirements of all relevant regulatory bodies simultaneously.

Comparison: South Africa vs Kenya vs Nigeria

South Africa, Kenya, and Nigeria represent three distinct approaches to financial services regulation in Africa, and understanding the differences is essential for fintechs operating across the continent.

South Africa has the most rigorous requirements. FICA's framework is comprehensive, enforcement is active, and the regulatory infrastructure (FIC, SARB, FSCA) is well-resourced. The beneficial ownership requirements are stricter than in most African jurisdictions, and the transition to Smart ID cards is improving the quality of identity verification.

Kenya's approach is more focused on financial inclusion. The tiered KYC system for mobile money enables access for populations without formal identity documents while maintaining AML compliance for higher-value transactions. The regulatory infrastructure is maturing, and the Virtual Asset Service Provider Bill adds a new compliance layer.

Nigeria's framework is layered and evolving. The CBN's tiered system, the BVN and NIN identity infrastructure, and the SEC's crypto regulations create a complex compliance environment that is still being harmonized. Document quality variability remains a significant challenge.

For fintechs operating across all three markets, the key insight is that compliance cannot be standardized. Each country requires market-specific verification infrastructure, document-specific authentication models, and regulatory-specific reporting capabilities.