FICA Basics: What Every Accountable Institution Must Know

FICA Basics: What Every Accountable Institution Must Know

South Africa's Financial Intelligence Centre Act (the FIC Act) places specific obligations on certain businesses — called Accountable Institutions — to help detect and prevent money laundering and the financing of terrorism. If you are an estate agent, attorney, financial advisor, or work in another listed profession, your business likely falls under this framework. This post outlines the core concepts in plain language.

> Disclaimer: This article is general information based on published Financial Intelligence Centre (FIC) guidance. It is not legal advice. For your specific situation, consult a qualified attorney or compliance professional.

---

What is the FIC Act?

The Financial Intelligence Centre Act 38 of 2001, as substantially amended in 2017, is South Africa's primary anti-money-laundering (AML) and counter-terrorism-financing (CTF) legislation. It is administered by the Financial Intelligence Centre (FIC), which publishes guidance and receives mandatory reports from regulated businesses. You can find the FIC's published resources at fic.gov.za.

The FIC Act does not apply to everyone. It targets specific categories of businesses and individuals — Accountable Institutions — that are considered higher-risk channels for the movement of illicit funds.

---

Who is an Accountable Institution?

The FIC Act lists Accountable Institutions in Schedule 1. The schedule has been expanded over time and currently includes, among others:

• Estate agents (registered with the Property Practitioners Regulatory Authority)
• Attorneys (as part of their trust account activities)
• Financial service providers (such as certain investment advisors and brokers)
• Accountants and auditors in defined circumstances
• Dealers in motor vehicles, high-value goods, and krugerrands
• Banks and other financial institutions
• Cryptocurrency asset service providers (added more recently)

If your business is listed in Schedule 1, you carry the full set of FICA compliance obligations described below. If you are unsure, the FIC's website publishes the current Schedule 1 text and sector-specific guidance notices.

---

The Core Obligations

#### 1. Register with the FIC

Every Accountable Institution must register on the FIC's goAML portal (available at fic.gov.za). Registration is the entry point to your compliance obligations — you cannot submit mandatory reports without it. The FIC publishes step-by-step registration guidance for each sector.

#### 2. Conduct Customer Due Diligence (CDD)

Customer due diligence — commonly called Know Your Client (KYC) — is at the heart of the FIC Act framework. Before entering into a business relationship or conducting certain transactions, an Accountable Institution is required to:

• Identify the client — obtain the client's full name and, for a natural person, their identity number or passport number.
• Verify that identity — check the identity against a reliable, independent source (such as a certified ID copy or the Department of Home Affairs database).
• Identify the beneficial owner — where the client is a company or trust, the FIC Act requires the institution to look through the structure to identify the natural person(s) who ultimately own or control the entity.
• Understand the business relationship — gather enough information about the nature and intended purpose of the relationship to assess risk.

The FIC Act introduces a risk-based approach: Accountable Institutions are expected to apply enhanced scrutiny to higher-risk clients and simplified measures to demonstrably lower-risk situations. The FIC has published sector-specific guidance notices explaining how to calibrate this.

#### 3. Conduct Ongoing Monitoring

CDD is not a once-off exercise at onboarding. The FIC Act requires Accountable Institutions to monitor existing business relationships on an ongoing basis — updating client information when circumstances change and re-verifying identity when records become outdated or when a transaction appears inconsistent with the client's known profile.

#### 4. Keep Records

Accountable Institutions are required to retain records of CDD information and transaction records for a defined period after the business relationship ends or the transaction is concluded. The FIC Act sets out the specific retention periods; for current detail, refer directly to the published Act at fic.gov.za. Records must be stored in a manner that allows them to be made available to the FIC or another competent authority on request.

#### 5. Submit Mandatory Reports to the FIC

This is one of the most visible obligations. The FIC Act requires Accountable Institutions to file specific reports through the goAML portal:

• Suspicious and Unusual Transaction Reports (SUTR/UTR): Filed when a transaction or attempted transaction gives grounds to suspect that it involves the proceeds of crime, money laundering, or terrorist financing. There is no minimum amount — the obligation arises from suspicion, not transaction size.
• Cash Threshold Reports (CTR): Filed when cash transactions above the prescribed threshold are conducted. The current prescribed threshold is published by the FIC and may be updated by regulation.
• Terrorist Property Reports (TPR): Filed when an Accountable Institution holds property it suspects is linked to terrorism or a terrorist organisation.

Failing to file a report when required — or tipping off a client that a report has been filed — carries serious penalties under the FIC Act.

#### 6. Implement a Risk Management and Compliance Programme (RMCP)

Accountable Institutions are required to develop, document, and maintain a written Risk Management and Compliance Programme. The RMCP must cover, at a minimum:

• A risk assessment of the institution's clients, products, delivery channels, and geographic exposure
• Internal rules for CDD, record-keeping, and reporting
• Staff training procedures
• Processes for screening clients against sanctions lists and Politically Exposed Person (PEP) databases

The FIC has published a detailed guidance note on what an RMCP must contain. The document is freely available on fic.gov.za and is the primary reference for building your programme.

#### 7. Appoint a Compliance Officer (for larger institutions)

The FIC Act requires certain Accountable Institutions — particularly those above a defined size — to designate an individual as a Compliance Officer responsible for implementing the RMCP and serving as the FIC's point of contact. Even where a formal designation is not mandatory, the FIC's guidance strongly encourages smaller institutions to assign this responsibility clearly.

---

Penalties for Non-Compliance

The FIC Act gives the FIC and other supervisory bodies significant enforcement powers. Administrative sanctions can include compliance orders, financial penalties, and — in the most serious cases involving deliberate misconduct — referral for criminal prosecution. The FIC publishes its enforcement actions, so sanctions are a matter of public record.

---

Where to Start

If you are new to FICA obligations, a practical starting point is:

1. Confirm whether your business is listed in Schedule 1 of the FIC Act.
2. Register on the FIC's goAML portal at fic.gov.za.
3. Download and read the FIC's guidance notice for your sector.
4. Draft or update your RMCP before your supervisory body requests it.

Khanyitas is designed to help South African SMEs manage compliance documentation, record-keeping, and reporting workflows — so you spend less time on administration and more time on your business.

---

> Disclaimer: This article is general information based on published Financial Intelligence Centre (FIC) guidance and the text of the FIC Act. It is not legal advice. Requirements can change and the FIC publishes updated guidance notices regularly. For your specific situation — including whether your business qualifies as an Accountable Institution and how to structure your RMCP — consult a qualified attorney or registered compliance professional.