New to FICA Compliance? It can be intimidating to get started, but that is why we are here! We can help. Don’t delay, call today!
At the most basic level, FICA Compliance requires
Registration with FICA
Developing an RMCP
The Financial Intelligence Centre issues extensive supporting documentation. These documents are also updated frequently. The documents listed on this page can be downloaded directly from the fic.gov.za website and links to the current version of each document as of 13 October 2025.
ON REGISTRATION WITH THE FINANCIAL INTELLIGENCE CENTRE IN TERMS OF SECTION 43B OF THE FINANCIAL INTELLIGENCE CENTRE ACT, 2001 (ACT 38 OF 2001) Issued October 2023 and covers 64 pages. This document contains critical information on the who, what why of registering with FIC. This document provides the background to which organizations need to register, and contains valuable advice on the process to follow.
ON THE RISK MANAGEMENT AND COMPLIANCE PROGRAMME IN TERMS OF SECTION 42 OF THE FINANCIAL INTELLIGENCE CENTRE ACT, 2001 (ACT 38 OF 2001) FOR DESIGNATED NON-FINANCIAL BUSINESSES AND PROFESSIONS Issued August 2022 and covers 44 pages. This document outlines the expectations of FIC concerning the RMCP and technical content required to be considered compliant. This document forms the core of FICA compliance and an incomplete, or inappropriate RMCP will automatically result in a non-compliant finding.
ON THE IMPLEMENTATIONOF VARIOUS ASPECTS OF THE FINANCIAL INTELLIGENCE CENTRE ACT,2001 (ACT 38 OF 2001)
Issued September 2025 and covers 76 pages. This revised document replaces Guidance Note 7A issued in February 2025. This document is essential reading for understanding concepts fundamental to the FICA process. Among other essential topics, it covers Know-Your-Client concepts, Ultimate Beneficial Ownership and developing a Risk Based Approach.
These links are presented as a first step approach to FICA compliance, and does not intend to cover all topics for all Accountable Institutions. These three documents cover almost 2oo pages and only provide guidance on what is required. It should be noted that subsequent to registration, FIC allows a grace period of 90 days for new Accountable Institutions to complete their FIC registration and submission of Risk Compliance Returns (a report) and RMCP. This long grace period is intentional. FIC appreciates the time and care required to meet the expected requirements.
If you require assistance in meeting your compliance obligations, please contact us for more information.
On 13 February 2025 the High Court of South Africa, Gauteng Local Division, Johannesburg issued its first court order in terms of section 23 of POCDATARA. This court order has far reaching implications for FICA related compliance.
POCDATARA – Protection of Constitutional Democracy Against Terrorist and Related Activities Act, 2004 (Act 33 of 2004) Section 23 allows for the freezing of property in terrorist related matters, upon application to court.
FICA – Financial Intelligence Centre Act, 2001 (Act 38 of 2001)
It should be noted that the practical effect of a court order in terms of Section 23 of POCDATARA has an effect similar to that of Section 26 of FICA, meaning that all transactions involving such an entity must stop immediately and be reported to FIC.
This has serious implication for all Accountable Institutions. At the least the current client base should be scrutinized to determine whether any of the names listed in the judgment appear.
Subsequently, and more importantly, the RMCP must be updated to provide for internal process and procedure to deal with POCDARATA related matters. Several aspects come to mind: sourcing POCDATARA related judgments, maintaining a searchable database of names, the frequency of searches conducted against these names, and finally the internal process for escalation and reporting when a client name is found in a POCDATARA related judgment.
The court order makes it clear that the effect of appearing on in POCDATARA judgment has the same practical effect as if the persons name is found in TFS screening result. The means that, just like with a positive TFS result, all business activities must stop, and a report made to FIC, typically within 24 hours.
On Tuesday 11 March at approximately 16:50 the fic.gov.za site which acts as the portal the goAML page became unavailable.
No reasons have been given for same.
On Wednesday 12 March at approximately 12:18 the site became unresponsive.
Users are urged to return to the site and verify that their uploads are in fact secure.
In addition, the https://www.fic.gov.za/compliance-queries/ query page remains available. Unofficially and as a fallback mechanism, users are encouraged to submit their documents with screenshots of previous attempts through this mechanism.
Here at Be Compliant, we have built the capacity to assist you with developing and maintaining your Risk and Compliance Management Program (RMCP).
Over that past year alone, we have trained or addressed several hundred individuals on FICA Compliance.
We have also assisted in the development and rollout of RMCP’s to numerous satisfied clients. It is no small achievement to state that all the RMCP developments that we have been involved with, have passed inspection.
Should you require assistance in developing your RMCP, please do not hesitate to complete the contact form above.
URGENT FICA RMCP NOTICE On 4 March 2025 the FIC instructed all accountable institutions to upload their current RMCP. Deadline is 12 March 2025.
Please inspect your FIC portal for this notice
___________________________________________
This upload request is new. Historically the FIC requested RMCP’s on a one-by-one basis as a first step during inspection. This is the first time that a mass upload of documents is requested. It coincides with the start of the Financial Year for mist businesses.
Please note that the RMCP should be updated at least annually and that the date of approval required in the filename must not be older than 2024-03-01, in which case you will be uploading an outdated RMCP.
We believe that this is the start of a mass inspection cycle.
This is an extensive Guidance Note, covering some 75 pages.
The document discusses understanding Risk and the recommended steps to follow in order to achieve a risk based compliance state.
Although much of the document is general risk management theory, the document is intended specifically for accountable institutions in South Africa and deals with Money Laundering and Terrorist Financing. Interestingly geographic location features as a contributing risk factor.
The good news is that our documentation currently meet the requirements of this Guidance Note.
Workshops will follow, dealing with the practical implications of this Guidance Note, and FIC enforcement posture.
We are a data company. Since data is core to the Services that we offer, we aim to be as transparent as possible about how and why we store your data.
Your privacy is important to us. This privacy statement explains the personal data Be Compliant processes, how Be Compliant processes it, and for what purposes.
Be Compliant offers a wide range of products, including server products used to help operate enterprises worldwide. References to Be Compliant products in this statement include Be Compliant services, websites, apps, software, servers, and devices.
Please read the product-specific details in this privacy statement, which provide additional relevant information. This statement applies to the interactions Be Compliant has with you and the Be Compliant products listed below, as well as other Be Compliant products that display this statement.
Personal data we collect
Be Compliant collects data from you, through our interactions with you and through our products. You provide some of this data directly, and we get some of it by collecting data about your interactions, use, and experiences with our products. The data we collect depends on the context of your interactions with Be Compliant and the choices you make, including your privacy settings and the products and features you use. We also obtain data about you from Be Compliant affiliates, subsidiaries, and third parties.
You have choices when it comes to the technology you use and the data you share. When we ask you to provide personal data, you can decline. Many of our products require some personal data to provide you with a service. If you choose not to provide data -required to provide you with a product or feature, you cannot use that product or feature. Likewise, where we need to collect personal data by law or to enter into or carry out a contract with you, and you do not provide the data, we will not be able to enter into the contract; or if this relates to an existing product you are using, we may have to suspend or cancel it. We will notify you if this is the case at the time. Where providing the data is optional, and you choose not to share personal data, features such as personalisation that use such data will not work for you.
How we use personal data
Be Compliant uses the data we collect to provide you with rich, interactive experiences. In particular, we use data to:
Provide our products, which includes updating, securing, and troubleshooting, as well as providing support. It also includes sharing data, when it is required to provide the service or carry out the transactions you request.
Improve and develop our products.
Personalise our products and make recommendations.
Advertise and market to you, which includes sending promotional communications, targeting advertising, and presenting you with relevant offers.
We also use the data to operate our business, which includes analysing our performance, meeting our legal obligations, developing our workforce and doing research.
In carrying out these purposes, we combine data we collect from different contexts (for example, from your use of two Be Compliant products) or obtain from third parties to give you a more seamless, consistent and personalised experience, to make informed business decisions, and for other legitimate purposes.
Our processing of personal data for these purposes includes both automated and manual (human) methods of processing. Our automated methods often are related to and supported by our manual methods. For example, to build, train, and improve the accuracy of our automated methods of processing (including artificial intelligence or AI), we manually review some of the output produced by the automated methods against the underlying data.
As part of our efforts to improve and develop our products, we may use your data to develop and train our AI models. Learn more here. Specifically, we may use AI to process information found on the internet to extract relevant electronic footprint data.
Reasons we share personal data
As a rule we do nor share your personal data without your consent. We do share data with Be Compliant-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; and to protect the rights and property of Be Compliant and its customers.
We do not mine your data and we do not offer your data for sale.
Cookies and similar technologies
Cookies are small text files placed on your device to store data that can be recalled by a web server in the domain that placed the cookie. We use cookies and similar technologies for storing and honouring your preferences and settings, enabling you to sign-in, providing interest-based advertising, combating fraud, analysing how our products perform and fulfilling other legitimate purposes.
Our Be Compliant Online Software (BCOS) uses run-time cookies to ensure a stable user experience. This cookie is dropped at the end of every session and no persistent data is stored. If you feel uncomfortable with this cookie, please do not use our software.
We do not use, nor permit Third Party cookies to deploy through our products.
Products provided by your organisation – notice to end users
If you use a Be Compliant product with an account provided by an organisation you are affiliated with, such as your work or school account, that organisation can:
Control and administer your Be Compliant product and product account, including controlling privacy-related settings of the product or product account.
Access and process your data, including the interaction data, diagnostic data, and the contents of your communications and files associated with your Be Compliant product and product accounts.
If you lose access to your work or school account (in event of change of employment, for example), you may lose access to products and the content associated with those products, including those you acquired on your own behalf, if you used your work or school account to sign in to such products.
Many Be Compliant products are intended for use by organisations, such as law firms, estate agents, accountants and other businesses. If your organisation provides you with access to Be Compliant products, your use of the Be Compliant products is subject to your organisation’s policies, if any. You should direct your privacy enquiries, including any requests to exercise your data protection rights, to your organisation’s ITC administrator or Information Officer. When you use social features in Be Compliant products, other users in your network may see some of your activity. To learn more about the social features and other functionality, please review documentation or help content specific to the Be Compliant product. Be Compliant is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this privacy statement.
When you use a Be Compliant product provided by your organisation, Be Compliant’s processing of your personal data in connection with that product is governed by a contract between Be Compliant and your organisation. Be Compliant processes your personal data to provide the product to your organisation and you. As mentioned above, if you have questions about Be Compliant’s processing of your personal data in connection with providing products to your organisation, please contact your organisation. If you have questions about Be Compliant’s business operations in connection with providing products to your organisation as provided in the Terms & Conditions portion of the Service Leval Agreement
Be Compliant account
With a Be Compliant account, you can sign in to Be Compliant products. Personal data associated with your Be Compliant account includes credentials, name and contact data, payment data, device and usage data, your contacts, information about your activities, and your interests and favourites. Signing in to your Be Compliant account enables personalisation and consistent experiences across products and devices, permits you to use cloud data storage, allows you to make payments using payment instruments stored in your Be Compliant account and enables other features.
Other important privacy information
Below you will find additional privacy information, such as how we secure your data, where we process your data, and how long we retain your data. You can find more information on Be Compliant and our commitment to protecting your privacy at Be Compliant Privacy.
When a customer engages with Be Compliant for professional services, we collect the name and contact data of the customer’s designated point of contact and use information provided by the customer to perform the services that the customer has requested.
When a customer engages with a Be Compliant sales representative, we collect the customer’s name and contact data, along with information about the customer’s organisation, to support that engagement.
When a customer interacts with a Be Compliant support professional, we collect device and usage data or error reports to diagnose and resolve problems.
When a customer pays for products, we collect contact and payment data to process the payment.
When Be Compliant sends communications to a customer, we use data to personalise the content of the communication.
The cornerstone of FICA Compliance is the Risk Management and Compliance Program (RMCP). This is the definitive quality control document that contains all the essential policy and procedures concerning the organization’s FICA compliance.
The document in the photo covers some 66 pages of policy, including the Risk Matrix and annexures. KYC is described covering basic, standard and enhanced client due diligence. The Annexures contain specific procedures and templates.
This document contains
Definitions
Governance
Risk Based approach (Categories/Factors and procedures)
Due Diligence
Activity Monitoring
Reports
Records
Directives
Annexures
FICA compliance is extensive and onerous.
This is our effort to lighten the burden.
Our business is to facilitate your compliance requirements. If you require support in your compliance journey, do not hesitate to contact us today.
At the most basic level, the client due diligence part of FICA compliance requires at least three steps:
Photo ID
Proof of Residential Address
TFS screening
Of the three, Targeted Financial Sanctions (TFS) screening is the most onerous, creating a duty to screen continuously, not only when on boarding a client, but every day while the mandate remains active. TFS screening must be done daily.
Proof of Residential Address requires the client to submit proof of address that, at the time of verification, is not older than 90 days. Certain types of documents readily fall into this category: municipal utility bills, tenant statements, or in some cases, written confirmation of occupation, often by a spouse or family member.
Only the photo ID should not lapse.
Once onboarding is complete, the KYC record remains valid for a year.
This is an important distinction to make. At the time of document verification, the submitted documents may not be older than 90 days. However, once accepted, the KYC profile remains valid for one year.
This has the further implication that at some future date, every single KYC profile will lapse and the document verification process must be renewed.
Even a small firm with as few as 600 active matters, with any mandate exceeding 12, months will face a challenge to repeat the document collection and verification process.
Practical steps will require contacting the client for current documents, receipt and consideration of same and update the local KYC document repository. The time and labour demands of such an activity must not be underestimated.
In the event where more stringent KYC requirements apply, such as a formal Risk Assessment, this will also have to be repeated.
What steps can be taken to ameliorate this problem?
Certain themes repeat when dealing with structural problems such as this. These include systems, training and time management.
Regardless of whether a manual or computer system is in use, KYC profiles should be scheduled on a calendar for the anticipated renewal date. With online systems, early warning notifications may be expected. Once the return date arrives, the relevant documents must be requested immediately. Where template documents or electronic system are in use, these should be updated regularly.
Training keeps staff aware of the obligations under which they work. Training should include ethics and confidentiality, office procedure and escalation as well as practical use of any systems deployed.
Once the renewal cycle commences, it is important to complete the various relevant activities as rapidly as possible, in order to prevent disruption of other activities as far as possible and avoid potential bottlenecks.
Depending on the level of KYC required, the steps to be completed may include
PUBLIC COMPLIANCE COMMUNICATION 5D 
PUBLIC COMPLIANCE COMMUNICATION No 53
Revised-Guidance-Note-7A –Implementation of various aspects of the FIC Act
Issued September 2025 and covers 76 pages. This revised document replaces Guidance Note 7A issued in February 2025. This document is essential reading for understanding concepts fundamental to the FICA process. Among other essential topics, it covers Know-Your-Client concepts, Ultimate Beneficial Ownership and developing a Risk Based Approach. 
