FICA Record-Keeping: What to Keep and for How Long

FICA Record-Keeping: What to Keep and for How Long

For accountable institutions in South Africa, maintaining the right records for the right period is one of the most practical — and inspected — parts of your anti-money laundering (AML) compliance programme. The Financial Intelligence Centre Act (FICA) sets out clear expectations for what must be kept, in what form, and for how long. This article walks through the core requirements as published by the Financial Intelligence Centre (FIC).

> Disclaimer: This article is general information based on published Financial Intelligence Centre guidance and the text of FICA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

Why Record-Keeping Matters Under FICA

The FIC and supervisory bodies — including the South African Reserve Bank (SARB), the Financial Sector Conduct Authority (FSCA), and the Legal Practice Council, among others — conduct compliance inspections. During an inspection, demonstrating that your records exist, are complete, and are retrievable is often as important as the records themselves. Poor record-keeping is one of the most common findings in supervisory reviews.

FICA's record-keeping requirements are closely linked to two other pillars of your compliance framework: customer due diligence (CDD) and transaction monitoring. Without adequate records, you cannot demonstrate that you identified your client, assessed the risk, or reported suspicious activity where required.

---

What Records Must Be Kept?

FICA requires accountable institutions to retain records in two broad categories.

#### 1. Customer Due Diligence (CDD) Records

When you onboard a client, FICA requires you to establish and verify their identity. The records you must keep include:

• The information obtained to identify the client (for example, full name, date of birth, identity number, address).
• Copies of the documents used to verify that information (for example, a certified copy of an identity document, passport, or company registration documents).
• For legal persons and other entities: beneficial ownership information, including the identity of the natural persons who ultimately own or control the entity.
• Records of any risk assessment conducted in relation to the client.

The FIC's guidance notes and FICA itself make clear that records must be sufficient to allow a third party — such as an inspector — to reconstruct the CDD process you followed.

#### 2. Transaction Records

For every transaction conducted by or on behalf of a client, the accountable institution must keep a record that contains:

• The nature of the transaction (for example, a cash deposit, wire transfer, or currency exchange).
• The amount involved and the currency.
• The date on which the transaction was concluded.
• The parties to the transaction, including account details where applicable.

This applies to both domestic and cross-border transactions.

---

The Five-Year Retention Rule

FICA's record-keeping provisions set a five-year retention period. Specifically:

• CDD records must be kept for at least five years from the date on which the business relationship with the client is terminated, or from the date of a single transaction where no ongoing relationship exists.
• Transaction records must be kept for at least five years from the date the transaction was concluded.

The FIC has consistently applied and communicated this five-year standard in its public guidance. You can review the relevant provisions and guidance documents directly at fic.gov.za.

Note that other legislation — for example, tax legislation administered by SARS, or the Companies Act as administered by CIPC — may impose separate and sometimes longer retention obligations on the same underlying records. Accountable institutions operating across multiple regulatory frameworks should map all applicable retention periods before deciding when a record may safely be destroyed.

---

Format and Accessibility Requirements

FICA does not prescribe a single format for record storage. Records may be kept in paper or electronic form, provided they:

• Are in a form that allows them to be accessed and reproduced in legible form during the retention period.
• Can be produced promptly when requested by the FIC or a relevant supervisory body.

In practice, this means that an electronic record management system must ensure records are not subject to format obsolescence — for example, proprietary file formats that become unreadable as software is updated. The FIC's guidance recommends that institutions have documented policies covering how records are stored, backed up, and made retrievable.

---

Practical Steps for Accountable Institutions

Setting up a compliant record-keeping system typically involves the following steps, though the right approach will vary by institution size, risk profile, and sector:

1. Map your record types. Identify every category of CDD and transaction record your institution generates, including records produced by third parties acting on your behalf.
2. Set retention triggers. For CDD records, the clock starts on termination of the relationship. For transaction records, it starts on the transaction date. Your system should be able to flag records that have reached their five-year mark.
3. Document your policy. The FIC expects institutions to have a written record-keeping policy. This should cover what is retained, where, for how long, and who is responsible.
4. Test retrievability. Periodically confirm that records can actually be accessed and reproduced. A record that exists but cannot be read within a reasonable time is unlikely to satisfy an inspector.
5. Align with other frameworks. Cross-reference your FICA retention schedule with SARS requirements (see sars.gov.za) and CIPC requirements (see cipc.co.za) to avoid either premature destruction or confusion about applicable deadlines.
6. Train responsible staff. The people who handle client onboarding and transaction processing need to understand what to capture, how, and where it is stored.

---

What Happens If Records Are Inadequate?

Failing to maintain adequate FICA records can result in findings during supervisory inspections and, in more serious cases, administrative sanctions or referral to the FIC. The FIC publishes its enforcement actions; the reputational and operational impact of a public sanction is a material risk for any accountable institution.

Beyond enforcement, inadequate records can undermine your ability to defend your institution's conduct if a transaction is later investigated as suspicious. Records are your primary evidence that you applied appropriate controls.

---

Further Reading

• Financial Intelligence Centre — fic.gov.za: FICA guidance notes, public compliance communications, and the FIC Act itself.
• SARS record-keeping requirements — sars.gov.za
• CIPC company records guidance — cipc.co.za

---

> Disclaimer: This article is general information based on published Financial Intelligence Centre guidance and the text of FICA. It is not legal advice. For your specific situation — including the interaction between FICA retention requirements and other applicable legislation — consult a qualified attorney.