If your business is an Accountable Institution under the Financial Intelligence Centre Act (FICA) - an attorney, estate agent, financial advisor, motor-vehicle dealer above the threshold, bank, etc. - you have two compliance regimes pulling on the same data: FICA requires you to collect identifying information; POPIA limits how you use and share what you collect.
This article walks through how the two laws actually fit together in practice.
FICA says you must collect identifying information
FICA's Risk Based Approach (RBA), introduced by the FIC Amendment Act and reinforced by FIC guidance, requires Accountable Institutions to:
- Establish and verify the identity of every client
- Identify and verify beneficial ownership where the client is a juristic person
- Screen against the United Nations sanctions list
- Determine if the client or beneficial owner is a Politically Exposed Person (PEP)
- Maintain risk-rated client records
- Report suspicious transactions to the Financial Intelligence Centre
The records FICA expects you to keep are extensive: ID copies, proof of address, source-of-funds evidence, transaction records. FICA section 23 requires you to keep these records for at least five years from the end of the business relationship.
POPIA says you may only process what you actually need
POPIA section 10 requires that personal information be adequate, relevant, and not excessive in relation to the purpose. Section 14 requires you to delete or destroy information when you are no longer authorised to retain it. Section 18 requires you to tell data subjects why you are collecting their information.
Read in isolation, POPIA might suggest you should keep less. Read with FICA, the picture is simpler: FICA is the legal obligation - section 11(1)(c) of POPIA - that gives you the lawful basis to process the identifying information FICA requires.
Practical consequence: when you write your privacy notice for FICA data flows, the lawful basis you cite for the identifying-information fields is *legal obligation under FICA*, not *legitimate interest* and not *consent*.
Where they reinforce each other
POPIA section 19 and FICA section 42 both require reasonable security safeguards over client records. Meet one well and you tend to meet the other.
POPIA section 22 and FICA section 28 both impose reporting obligations for specific events - POPIA for personal-information breaches, FICA for suspicious transactions. Have one process that routes any incident to the right destination.
Where they tension each other
Retention is the visible tension. POPIA wants you to delete; FICA wants you to keep for five years. The resolution is straightforward: FICA wins for the records FICA requires. POPIA's section 14 expressly carves out information you are required by law to keep.
What POPIA *does* require is that you do not use the FICA records for unrelated purposes. The ID copy you took for client verification is not available for general marketing. The proof-of-address you took for FICA is not available to add to an unrelated database. Section 15 of POPIA prevents that further-processing creep.
Practical setup
In your data register, give the FICA records their own row. Mark the lawful basis as legal obligation (FICA). Set the retention to five years from end of relationship per FICA section 23. Restrict access to the staff who actually do FICA work.
Khanyitas' Growth tier flags Accountable Institutions during onboarding and adds FICA-specific fields to the register so the two regimes are visible side-by-side.