Every time a property practitioner opens a new client file, two separate pieces of legislation quietly activate. The Protection of Personal Information Act (POPIA) governs how you collect and handle your client's personal data. The Financial Intelligence Centre Act (FICA) governs how you verify who that client actually is. Understanding where each law starts and stops — and where they overlap — is essential for any estate agent operating under the Property Practitioners Act and supervised by the Property Practitioners Regulatory Authority (PPRA).
> Disclaimer: This article is general information based on published Information Regulator guidance and Financial Intelligence Centre (FIC) guidance. It is not legal advice. For your specific situation, consult a qualified attorney.
---
Why estate agents sit under both laws
Estate agents are listed as accountable institutions under FICA's Schedule 1. That means the FIC requires property practitioners to conduct Customer Due Diligence (CDD) — commonly called FICA verification — before or during the establishment of a business relationship or transaction. You can find the FIC's guidance for accountable institutions at fic.gov.za.
At the same time, POPIA applies to any person or organisation that processes personal information in South Africa. When you collect a client's ID number, proof of address, income details, or spousal information to fulfil your FICA obligation, every one of those data points is personal information under POPIA. The two regimes run concurrently — you cannot satisfy one by ignoring the other.
---
What FICA asks you to do
FICA requires estate agents to:
- Identify and verify clients using reliable, independent source documents (such as a certified ID and proof of residential address).
- Understand the nature of the business relationship and, where applicable, the source of funds.
- Screen clients against relevant sanctions and politically exposed persons (PEP) lists.
- Keep records of all CDD documents for the period prescribed by the FIC — currently a minimum of five years from the end of the business relationship or transaction.
- Report suspicious and unusual transactions to the FIC.
The FIC publishes detailed guidance notices and public compliance communications at fic.gov.za. If you are unsure about a specific obligation, that is the primary source to consult — or speak to a compliance officer qualified in anti-money laundering (AML).
---
What POPIA asks you to do with the same documents
Every ID copy, bank statement, and utility bill you collect for FICA purposes is also personal information under POPIA. Here is how the key POPIA conditions apply to your client file:
Collect for a specific purpose (POPIA s13) POPIA requires that personal information be collected for a specific, explicitly defined, and lawful purpose. When collecting FICA documents, the purpose is clear: regulatory compliance with your obligations as an accountable institution. That is a lawful basis under POPIA.
Tell your client you are collecting their information (POPIA s18) When you collect personal information, POPIA requires that you notify the data subject. In practice this means your mandate agreement or a separate POPIA notification should tell the client: what information you are collecting, why you are collecting it (FICA verification and facilitating the property transaction), who else may receive it (such as a bond originator or conveyancer), and how long you will keep it.
Keep records only as long as necessary (POPIA s14) POPIA requires that records of personal information not be kept longer than necessary to achieve the purpose for which they were collected. FICA sets a *minimum* retention period of five years. POPIA's s14 sets the *ceiling* — once that regulatory minimum is met and there is no other lawful reason to retain the file, it should be securely disposed of.
Secure the information (POPIA s19) POPIA requires that you take reasonable technical and organisational measures to prevent loss, damage, or unauthorised access to personal information. For an estate agency this means: password-protected digital files, restricted access to physical file drawers, and ensuring that copies of clients' ID documents are not shared via unsecured channels such as WhatsApp groups.
Breach notification (POPIA s22) If personal information in your care is compromised — for example, if your email account is hacked and client ID copies are exposed — POPIA requires that you notify both the Information Regulator and the affected data subjects. The Information Regulator's contact details and the notification form are available at [inforegulator.org.za](https://www.inforegulator.org.za).
---
The overlap: one file, two compliance obligations
The practical tension for estate agents is this: FICA tells you to *collect and keep* certain documents; POPIA tells you to *minimise and protect* the personal information you hold. These are not contradictory — but they do require deliberate management.
| Obligation | FICA says | POPIA says | |---|---|---| | Collect client ID | Required | Lawful if purpose is defined (s13) | | Notify client | Not specifically required | Required at collection (s18) | | Retention period | Minimum 5 years | No longer than necessary (s14) | | Security of documents | Prescribed by FIC | Reasonable safeguards required (s19) | | Breach response | Report suspicious activity to FIC | Notify Regulator and data subject (s22) |
---
Your Information Officer and PPRA registration
Every business that processes personal information must designate an Information Officer under POPIA. For most estate agencies, this will be the principal or a senior manager. The Information Officer must be registered with the Information Regulator — registration is done at inforegulator.org.za.
The PPRA, which regulates property practitioners under the Property Practitioners Act, has also signalled that compliance with applicable legislation — including POPIA — forms part of the conduct expected of registered property practitioners. Estate agents should check ppra.org.za for the most current compliance notices.
---
Practical starting points for your agency
- Audit your client onboarding form. Does it explain to the client what you are collecting and why? If not, it likely does not meet POPIA s18.
- Review your retention schedule. Do you have a documented policy for when client files are archived and when they are destroyed? Both FICA (minimum five years) and POPIA (no longer than necessary) need to be reflected.
- Secure your document storage. Whether physical or digital, access to client files containing ID documents should be restricted and logged.
- Register your Information Officer with the Information Regulator if you have not already done so.
- Train your team. Every agent who handles client files is handling personal information. Basic POPIA awareness is not optional.
---
> Disclaimer: This article is general information based on published Information Regulator and Financial Intelligence Centre guidance. It is not legal advice. The interaction between POPIA, FICA, and the Property Practitioners Act involves nuances specific to your business structure, client base, and transaction types. Consult a qualified attorney or compliance professional for advice tailored to your situation.