Category: Compliance

KYC with BCOS

Know-Your-Client (KYC) is a process used by businesses and financial institutions to verify the identity of their clients and assess associated financial crime risks.

KYC, or Know Your Customer/Client, is the start of the due diligence process that organizations use to confirm that clients are who they claim to be. Due Diligence requires that client identities are verified and that clients can demonstrate that they are entitled to the funds they control and to evaluate potential risks associated with these. It is a core component of our risk based approach, covering anti-money laundering (AML) and counter-terrorism financing (CTF) and anti-Proliferation Funding efforts, helping prevent fraud, money laundering, terrorist financing, and other financial crimes. The process ensures that financial institutions and businesses maintain secure and compliant operations while building trust with clients.

Onboarding and Automated BCOS screening

The BCOS system is designed to screen new clients at time of onboarding, and then repeats screening at least every twenty four hours. This rapid and ongoing screening process increases confidence in the accuracy and usability of the data available.

Fast, accurate onboarding allows for enaging with clients confidently.

Onboarding of a new individual takes approximately eight minutes, from initiation up to first Risk Rating. The process is fluid and customizable, which means that impact on workflows are reduced and productivity maintained. This makes BCOS one of the fastest and most sought after products in the compliance and fraud prevention market space.

A key requirement of effective KYC is ongoing monitoring and re-screening. Ongoing monitoring is continuous, which means that when new information becomes available, at any time, the risk profile of a party must be updated. Re-screening requires regular, periodic re-assessment of the risk profile.

Once a profile has been created on BCOS ongoing monitoring and re-screening are background tasks. It is possible, but not necessary for the user to request an update, this is automated by the BCOS system.

Identity Verification

BCOS can provide official government database ID verification. Our unique search and AI enabled risk assessment provides a basic screening within 30 seconds. Yes, it is that fast.

Official Gotham City photo ID.

Identity screening is part of the immediate and initial KYC onboarding.

What exactly is screened?

  • Targeted Financial Sanctions (TFS)
  • POCDATARA
  • National Sanction Lists (NSL)
  • Hot Names
  • Electronic Footprint (adverse media)

Targeted Financial Sanctions (TFS)

The United Nations Security Council maintains a list of persons and organizations associated with crimes such as weapon smuggling, war crimes and others. These individuals are sanction on a global level and it is illegal to conduct business with the listed parties.

BCOS updates the search criteria within 24-hours of the official UN list being updated, and re-screens all parties listed on the system. This meets ongoing and re-screening requirements. With BCOS it is not necessary to reload an identity onto the system. Once loaded, BCOS does the heavy work.

POCDATARA

Protection of Constitutional Democracy Against Terrorism and Related Acts (POCDATARA) is uniquely South African. BCOS has been screening against a custom POCDATARA list since 2025.

Expected amendments to FICA in 2026 will update the reporting requirements under FICA to treat POCDATARA hits, the same way as TFS hits.

BCOS is ahead of the pack with a full implemented and working POCDATARA screen!

TFS and POCDATARA screening is part of the immediate and initial KYC onboarding.

National Sanctions Lists

South Africa does not maintain a national sanctions list, but most of our major trading partners do. These National Sanctions Lists (NSL) contain the names of persons, organizations, vessels & aircraft that are subject to the sanctions of those states. The implication is that it is illegal in those countries to trade with the sanctioned parties.

For example, the USA Office of Foreign Assets Control publishes a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called Specially Designated Nationals (SDNs). These appear on several lists, such as Foreign Sanctions Evaders List, the Sectoral Sanctions Identifications List, the List of Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions, the Non-SDN Palestinian Legislative Council List, the Non-SDN Menu-Based Sanctions List, and the Non-SDN Communist Chinese Military Companies List.

South Africa is not directly subject to the jurisdiction of those foreign NSL requirements. However, names are not added to NSL for no reason. It is prudent to extend standard KYC to include these NSL restrictions in order to determine possible increased financial crime risks.

At the moment BCOS screens against the NSL lists published by

  • USA
  • UK
  • EU
  • Australia
  • Canada

Hot Names

BCOS screens for specific names that are associated with specific roles or functions. Typically the names of Members of Parliament (MP) or Members of Provincial Legislatures (MPL) or other, similar government positions are included. These names are sources from official governments sources and updated as new information becomes available.

Electronic Footprint

Electronic Footprint

An electronic footprint, or digital footprint, or digital shadow, is the sum of traceable digital activities, actions, and communications that users leave online. This includes websites visited, emails sent, social media interactions, online purchases, and any information submitted through digital platforms. This can be both active, such as posts and passive such a media reports. The term adverse media is a subset of the electronic footprint and refers specifically to media reports.

Any online presence can be traced.

Hot Names, NSL and Electronic Footprint screening is part of the second phase of KYC onboarding. The time required from initiation to completing the risk assessment is approximately eight minutes for an individual and the risk assessment process concludes with a risk rating. Life, accurate, online risk assessments available 24/7.

BCOS is typically deployed as part of a complete compliance package, or integrated through our public API into corporate compliance solutions.

If you require more information on BCOS please do not hesitate to contact us.

-Be Compliant

Getting started with FICA

New to FICA Compliance? It can be intimidating to get started, but that is why we are here! We can help. Don’t delay, call today!

At the most basic level, FICA Compliance requires

  • Registration with FICA
  • Developing an RMCP

The Financial Intelligence Centre issues extensive supporting documentation. These documents are also updated frequently. The documents listed on this page can be downloaded directly from the fic.gov.za website and links to the current version of each document as of 13 October 2025.

Registration with FICA

Registration with FIC PUBLIC COMPLIANCE COMMUNICATION 5D

ON REGISTRATION WITH THE FINANCIAL INTELLIGENCE CENTRE IN TERMS OF SECTION 43B OF THE FINANCIAL INTELLIGENCE CENTRE ACT, 2001 (ACT 38 OF 2001)
Issued October 2023 and covers 64 pages. This document contains critical information on the who, what why of registering with FIC. This document provides the background to which organizations need to register, and contains valuable advice on the process to follow.

Developing an RMCP

Guidance on RMCPsPUBLIC COMPLIANCE COMMUNICATION No 53

ON THE RISK MANAGEMENT AND COMPLIANCE PROGRAMME IN TERMS OF SECTION 42 OF THE FINANCIAL INTELLIGENCE CENTRE ACT, 2001 (ACT 38 OF 2001) FOR DESIGNATED NON-FINANCIAL BUSINESSES AND PROFESSIONS
Issued August 2022 and covers 44 pages. This document outlines the expectations of FIC concerning the RMCP and technical content required to be considered compliant. This document forms the core of FICA compliance and an incomplete, or inappropriate RMCP will automatically result in a non-compliant finding.

Revised Guidance Note 7A


Revised-Guidance-Note-7A-–-Implementation-of-various-aspects-of-the-FIC-ActRevised-Guidance-Note-7A –Implementation of various aspects of the FIC Act

ON THE IMPLEMENTATIONOF VARIOUS ASPECTS OF THE FINANCIAL INTELLIGENCE CENTRE ACT,2001 (ACT 38 OF 2001)

Hot NewsIssued September 2025 and covers 76 pages. This revised document replaces Guidance Note 7A issued in February 2025. This document is essential reading for understanding concepts fundamental to the FICA process. Among other essential topics, it covers Know-Your-Client concepts, Ultimate Beneficial Ownership and developing a Risk Based Approach.

These links are presented as a first step approach to FICA compliance, and does not intend to cover all topics for all Accountable Institutions. These three documents cover almost 2oo pages and only provide guidance on what is required. It should be noted that subsequent to registration, FIC allows a grace period of 90 days for new Accountable Institutions to complete their FIC registration and submission of Risk Compliance Returns (a report) and RMCP. This long grace period is intentional. FIC appreciates the time and care required to meet the expected requirements.

If you require assistance in meeting your compliance obligations, please contact us for more information.

RMCP update April 2025

FIC Media Release 9/5/1/3 has reference.

On 13 February 2025 the High Court of South Africa, Gauteng Local Division, Johannesburg issued its first court order in terms of section 23 of POCDATARA. This court order has far reaching implications for FICA related compliance.

POCDATARA – Protection of Constitutional Democracy Against Terrorist and Related Activities Act, 2004 (Act 33 of 2004)
Section 23 allows for the freezing of property in terrorist related matters, upon application to court.

FICA – Financial Intelligence Centre Act, 2001 (Act 38 of 2001)

It should be noted that the practical effect of a court order in terms of Section 23 of POCDATARA has an effect similar to that of Section 26 of FICA, meaning that all transactions involving such an entity must stop immediately and be reported to FIC.

This has serious implication for all Accountable Institutions. At the least the current client base should be scrutinized to determine whether any of the names listed in the judgment appear.

Subsequently, and more importantly, the RMCP must be updated to provide for internal process and procedure to deal with POCDARATA related matters. Several aspects come to mind: sourcing POCDATARA related judgments, maintaining a searchable database of names, the frequency of searches conducted against these names, and finally the internal process for escalation and reporting when a client name is found in a POCDATARA related judgment.

The court order makes it clear that the effect of appearing on in POCDATARA judgment has the same practical effect as if the persons name is found in TFS screening result. The means that, just like with a positive TFS result, all business activities must stop, and a report made to FIC, typically within 24 hours.

FIC.Gov.ZA crashed

On Tuesday 11 March at approximately 16:50 the fic.gov.za site which acts as the portal the goAML page became unavailable.

No reasons have been given for same.

On Wednesday 12 March at approximately 12:18 the site became unresponsive.

Users are urged to return to the site and verify that their uploads are in fact secure.

In addition, the https://www.fic.gov.za/compliance-queries/ query page remains available. Unofficially and as a fallback mechanism, users are encouraged to submit their documents with screenshots of previous attempts through this mechanism.

A very brief overview of FICA Compliance

FICA Compliance requires infrastructure

  1. Registration with FIC/ goAML
  2. Appointment of Compliance Officer
  3. RMCP subject to periodic review
  4. RCR (deadline still May 2023)

Then, operationally

  • Targeted Financial Sanctions list screening (TFS)
  • Risk Assessment
  • KYC this includes client due diligence
  • Ongoing Business Relationships
  • Employee screening (Directive 8)

With resultant record keeping and reports

RMCP Development Consultancy

Here at Be Compliant, we have built the capacity to assist you with developing and maintaining your Risk and Compliance Management Program (RMCP).

Over that past year alone, we have trained or addressed several hundred individuals on FICA Compliance.

We have also assisted in the development and rollout of RMCP’s to numerous satisfied clients. It is no small achievement to state that all the RMCP developments that we have been involved with, have passed inspection.

Should you require assistance in developing your RMCP, please do not hesitate to complete the contact form above.

RMCP Upload Deadline 12 March 2025

URGENT FICA RMCP NOTICE
On 4 March 2025 the FIC instructed all accountable institutions to upload their current RMCP.
Deadline is 12 March 2025.

Please inspect your FIC portal for this notice

___________________________________________

This upload request is new. Historically the FIC requested RMCP’s on a one-by-one basis as a first step during inspection. This is the first time that a mass upload of documents is requested. It coincides with the start of the Financial Year for mist businesses.

Please note that the RMCP should be updated at least annually and that the date of approval required in the filename must not be older than 2024-03-01, in which case you will be uploading an outdated RMCP.

We believe that this is the start of a mass inspection cycle.

2025-02-13 FIC Guidance Note 7A

2025.2-GN-implementation-of-fic-actDownload

This is an extensive Guidance Note, covering some 75 pages.

The document discusses understanding Risk and the recommended steps to follow in order to achieve a risk based compliance state.

Although much of the document is general risk management theory, the document is intended specifically for accountable institutions in South Africa and deals with Money Laundering and Terrorist Financing. Interestingly geographic location features as a contributing risk factor.

The good news is that our documentation currently meet the requirements of this Guidance Note.

Workshops will follow, dealing with the practical implications of this Guidance Note, and FIC enforcement posture.

Watch this space.

RMCP Rollout

RMCP_rollout

Another successful RMCP rollout

The cornerstone of FICA Compliance is the Risk Management and Compliance Program (RMCP). This is the definitive quality control document that contains all the essential policy and procedures concerning the organization’s FICA compliance.

The document in the photo covers some 66 pages of policy, including the Risk Matrix and annexures. KYC is described covering basic, standard and enhanced client due diligence. The Annexures contain specific procedures and templates.

  • This document contains
    • Definitions
    • Governance
    • Risk Based approach (Categories/Factors and procedures)
    • Due Diligence
    • Activity Monitoring
    • Reports
    • Records
    • Directives
    • Annexures

FICA compliance is extensive and onerous.

This is our effort to lighten the burden.

Our business is to facilitate your compliance requirements. If you require support in your compliance journey, do not hesitate to contact us today.

-BC

Basic KYC Repeat

At the most basic level, the client due diligence part of FICA compliance requires at least three steps:

  • Photo ID
  • Proof of Residential Address
  • TFS screening

Of the three, Targeted Financial Sanctions (TFS) screening is the most onerous, creating a duty to screen continuously, not only when on boarding a client, but every day while the mandate remains active. TFS screening must be done daily.

Proof of Residential Address requires the client to submit proof of address that, at the time of verification, is  not older than 90 days.  Certain types of documents readily fall into this category: municipal utility bills, tenant statements, or in some cases, written confirmation of occupation, often by a spouse or family member.

Only the photo ID should not lapse.

Once onboarding is complete, the KYC record remains valid for a year.

This is an important distinction to make. At the time of document verification, the submitted documents may not be older than 90 days. However, once accepted, the KYC profile remains valid for one year.

This has the further implication that at some future date, every single KYC profile will lapse and the document verification process must be renewed.

Even a small firm with as few as 600 active matters, with any mandate exceeding 12, months will face a challenge to repeat the document collection and verification process.

Practical steps will require contacting the client for current documents, receipt and consideration of same and update the local KYC document repository. The time and labour demands of such an activity must not be underestimated.

In the event where more stringent KYC requirements apply, such as a formal Risk Assessment, this will also have to be repeated.

 What steps can be taken to ameliorate this problem?

Certain themes repeat when dealing with structural problems such as this. These include systems, training and time management.

Regardless of whether a manual or computer system is in use, KYC profiles should be scheduled on a calendar for the anticipated renewal date. With online systems, early warning notifications may be expected. Once the return date arrives, the relevant documents must be requested immediately. Where template documents or electronic system are in use, these should be updated regularly.

Training keeps staff aware of the obligations under which they work. Training should include ethics and confidentiality, office procedure and escalation as well as practical use of any systems deployed.

Once the renewal cycle commences, it is important to complete the various relevant activities as rapidly as possible, in order to prevent disruption of other activities as far as possible and avoid potential bottlenecks.

Depending on the level of KYC required, the steps to be completed may include

  • recent proof of Residential Address
  • Risk Matrix assessment
  • Request of supporting documents

Note that TFS is not an annual activity.

-BC