What….The….Fica

The Financial Intelligence Centre Act (FICA), in effect since 2001, is designed to combat financial crime and align South Africa with global standards such as the FATF recommendations. But its implementation must be risk-based—not administratively burdensome.

Recently, I was asked by my bank to resubmit my ID, despite having completed FICA verification. This raises two concerns: first, a misinterpretation of FICA’s risk-based approach; second, a potential breach of POPIA, which requires a legitimate purpose for processing personal data.

Institutions must remember: On-going Due Diligence (ODD) does not mean blanket re-verification. A simple confirmation of unchanged details may suffice. The FAIS Code’s Treating Customers Fairly (TCF) principles demand proportionality, transparency, and respect for client dignity. There are several misconceptions about FICA in South Africa that needs to be cleared.

Debunking the Myths

1. FICA Is Just a Once-Off Process

• Reality: FICA requires on-going due diligence (ODD). Institutions must keep client profiles current and monitor for risk triggers like changes in address, employment, or transaction patterns.

2. FICA Means Collecting Every Document, Every Time

• Reality: FICA is risk-based, not document-heavy. Re-verification should be proportional to client risk. Blanket requests for ID copies without justification may breach POPIA and erode trust.

3. All Clients Must Submit the Same Documents

• Reality: Requirements vary by client type (individual, company, trust, etc.). Institutions must tailor their document requests accordingly. Remember a utility bill or cell phone statement is not the sole method for verifying proof of residential address.

4. FICA Is Only for Banks

• Reality: FICA applies to a wide range of accountable institutions, including attorneys, estate agents, and insurers.

5. FICA Is About Ticking Boxes

• Reality: FICA is about knowing your client and identifying suspicious activity.
•  

6. Refusing to Re-Submit Documents Is Always Non-Compliant

• Reality: Clients have the right to question unnecessary duplication. Institutions must justify requests and ensure they align with both FICA and POPIA 

FICA, when applied correctly, is not a foe—it’s a friend to ethical governance and operational efficiency.

We need to address the disconnect between regulatory intent and institutional execution. In essence remember:

FICA is risk-based, not document-heavy

On-going Due Diligence (ODD) should be proportional to client risk — not blanket re-verification.

Shannon Budhram
Admitted Attorney 
Certified ISO27001 Compliance(Lead Auditor)
Certified ISO37301 Compliance Management
Certificate in AML Beneficial Ownership
UNISA - Corporate Governance Risk & Compliance certificate
Damelin - Diploma Business Administration Management
(ICA,IRMSA,CISA,CISSP)