FICA Customer Due Diligence (CDD) Explained for Accountable Institutions

FICA Customer Due Diligence (CDD) Explained for Accountable Institutions

Customer due diligence is one of the cornerstones of South Africa's anti-money laundering and counter-terrorism financing framework. If your organisation is listed as an Accountable Institution under Schedule 1 of the Financial Intelligence Centre Act (FICA), understanding what CDD requires — and how the Financial Intelligence Centre (FIC) interprets those requirements — is central to your compliance obligations.

> Disclaimer: This article is general information based on published FIC guidance and the text of FICA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What Is Customer Due Diligence?

Customer due diligence (also called "know your customer" or KYC) refers to the processes an Accountable Institution uses to identify and verify its clients, understand the nature of the business relationship, and assess the money laundering or terrorist financing (ML/TF) risk that relationship presents.

FICA, as amended by the Financial Intelligence Centre Amendment Act 1 of 2017, moved South Africa from a rules-based CDD model to a risk-based approach (RBA). Under the risk-based approach, Accountable Institutions are expected to calibrate the depth and intensity of their CDD measures to the assessed risk level of each client or transaction, rather than applying a single uniform checklist to everyone.

The FIC publishes detailed guidance on applying the risk-based approach. Its guidance notices and public compliance communications are available at fic.gov.za.

---

The Three Tiers of CDD

FICA's risk-based framework recognises three broad tiers of due diligence.

#### 1. Standard CDD

Standard CDD applies to most business relationships where the assessed ML/TF risk is neither demonstrably low nor demonstrably high. It generally involves:

• Identifying the client — obtaining the client's full name, identity number or registration number, and other prescribed particulars.
• Verifying the identity — confirming those particulars against reliable, independent source documents (for example, a South African ID document or a CIPC certificate of incorporation for a legal person).
• Identifying beneficial owners — for legal persons and trusts, establishing who the natural persons are that ultimately own or control the entity. FICA places significant emphasis on beneficial ownership because shell structures are a common ML vehicle.
• Understanding the business relationship — establishing the nature and intended purpose of the relationship so that unusual or suspicious activity can be identified against that baseline.

#### 2. Enhanced CDD

Where the assessed risk is higher — for instance, when a client is a politically exposed person (PEP), the transaction involves a high-risk jurisdiction, or other red flags are present — an Accountable Institution is expected to apply enhanced CDD. This typically means:

• Obtaining senior management approval before establishing or continuing the relationship.
• Gathering additional information about the source of funds and source of wealth.
• Conducting more frequent and more detailed ongoing monitoring.

The FIC's guidance notes describe categories of higher-risk client and relationship indicators. Consulting those notes (available at fic.gov.za) alongside your institution's own risk assessment is the recommended approach to calibrating enhanced CDD triggers.

#### 3. Simplified CDD

Where the assessed risk is demonstrably low, FICA permits simplified CDD measures. However, the FIC is explicit that simplified CDD does not mean *no* CDD — identification and verification obligations still apply. Simplified CDD is more commonly available for regulated financial products with limited ML/TF exposure (such as certain low-value insurance policies).

---

Ongoing Monitoring

CDD is not a once-off exercise. FICA requires Accountable Institutions to conduct ongoing due diligence throughout the business relationship. This includes:

• Keeping client information up to date and re-verifying it when material changes occur.
• Scrutinising transactions to ensure they are consistent with the institution's knowledge of the client, their business, and their risk profile.
• Identifying transactions or patterns that appear unusual or inconsistent, and escalating them through your suspicious transaction reporting (STR) process to the FIC.

Failure to maintain current client records and to monitor transactions on an ongoing basis is one of the most common findings in FIC supervisory reviews.

---

Beneficial Ownership: A Closer Look

Beneficial ownership identification deserves particular attention. FICA defines a "beneficial owner" as a natural person who, directly or indirectly, ultimately owns or exercises effective control of a legal person or trust. Identifying beneficial owners can require looking through multiple layers of corporate structure.

The Companies and Intellectual Property Commission (CIPC) maintains a beneficial ownership register for companies incorporated under the Companies Act. Accountable Institutions should be aware that CIPC's register is a useful corroborating tool, but FICA's own beneficial ownership verification obligations remain independent of what is or is not recorded at CIPC. More detail on the CIPC beneficial ownership register is available at cipc.co.za.

---

Record-Keeping

FICA requires Accountable Institutions to keep records of the information collected during CDD — including copies of identification documents and records of verification steps — for a prescribed period after the business relationship ends. The specific retention periods are set out in FICA itself and the associated regulations. Consult the Act or your legal counsel for the periods applicable to your institution type.

Having auditable, retrievable CDD records is not only a FICA obligation — it is also your primary defence if the FIC or your supervisor questions whether adequate due diligence was performed.

---

Consequences of Non-Compliance

The FIC has administrative sanction powers under FICA. Sanctions for CDD failures can include administrative penalties, directives requiring remediation, and public disclosure of non-compliance. Repeated or serious non-compliance can result in referral for criminal prosecution. The FIC publishes summaries of administrative sanctions on its website, which give a practical sense of the types of findings and penalty ranges that have applied in practice.

---

Practical Steps for Compliance Officers

1. Maintain a current institutional risk assessment. Your CDD framework should be built on, and regularly updated to reflect, a documented assessment of the ML/TF risks specific to your client base, products, and geographies.
2. Document your CDD policies and procedures. A written framework that maps each tier of CDD to clear triggers, evidence requirements, and approval steps is essential.
3. Train client-facing staff. The best-designed policy fails without staff who can identify red flags and collect the right information at onboarding.
4. Conduct periodic file reviews. Spot-check existing client files to confirm that information is current and that ongoing monitoring obligations are being met.
5. Stay current with FIC guidance. The FIC issues public compliance communications (PCCs) and guidance notes regularly. Subscribe to updates at fic.gov.za.

---

Where to Find the Primary Sources

• FICA (Act 38 of 2001, as amended): fic.gov.za
• FIC Guidance Notes and PCCs: fic.gov.za/guidance
• CIPC Beneficial Ownership Register: cipc.co.za

---

> Disclaimer: This article is general information based on published FIC guidance and the text of FICA. It is not legal advice. For your specific situation — including determining which CDD tier applies to a particular client or relationship — consult a qualified attorney.