Question 1

What is Enhanced Due Diligence (EDD) and when is it required under FICA?

Accepted Answer

Enhanced Due Diligence (EDD) is a heightened level of customer due diligence required under the Financial Intelligence Centre Act when a business relationship presents an elevated risk of money laundering, terrorist financing, or proliferation financing. South African accountable institutions must apply EDD when onboarding clients identified as Politically Exposed Persons (PEPs) or Prominent Influential Persons (PIPs), clients connected to high-risk or FATF grey-listed jurisdictions, entities with complex or opaque ownership structures, and relationships where the source of wealth or funds cannot be readily established through standard CDD. Unlike standard Customer Due Diligence, EDD requires deeper investigation, a documented risk rationale, senior management sign-off in high-risk cases, and more frequent ongoing review. KYCopilot generates a structured, fully source-cited EDD report in under five minutes - covering adverse media, sanctions, PEP/PIP status, court records, and country risk across 200+ jurisdictions.

Question 2

Who qualifies as an accountable institution under the FIC Act?

Accepted Answer

Schedule 1 of the Financial Intelligence Centre Act designates the categories of businesses legally subject to FICA's full Customer Due Diligence, Enhanced Due Diligence, and record-keeping obligations. These include banks and mutual banks, long-term insurers, attorneys and conveyancers, estate agents and property practitioners, financial services providers (FSPs), investment managers and unit trust administrators, forex and exchange-controlled entities, gambling and betting operators including online platforms, crypto asset service providers (CASPs), trust and company service providers, accounting and auditing firms, and motor vehicle dealers transacting above prescribed thresholds. If your business falls within Schedule 1, you are legally required to maintain a Risk Management and Compliance Programme (RMCP), conduct customer due diligence at onboarding, and screen clients against sanctions and adverse media databases. KYCopilot is purpose-built for all Schedule 1 categories operating in South Africa.

Question 3

What is the difference between a PEP and a PIP under South African law?

Accepted Answer

Internationally, a Politically Exposed Person (PEP) refers to an individual entrusted with a prominent public function - typically heads of state, senior politicians, senior government officials, military officers, and executives of state-owned enterprises. The Financial Intelligence Centre Act adds a South Africa-specific category: the Prominent Influential Person (PIP). A PIP includes individuals who hold, or have held, senior executive or board-level positions in significant private or public sector organisations in South Africa - such as CEOs, CFOs, and board members of major listed or large private companies - who may not hold formal government positions but carry comparable influence and potential exposure to corruption risk. FICA requires accountable institutions to identify both PEPs and PIPs and apply enhanced due diligence accordingly. KYCopilot screens for all three PEP types - Domestic, Foreign, and International Organisation - as well as South African PIPs, with full role history and sub-category tagging.

Question 4

What is a Risk-Based Approach to FICA compliance and how should I document it?

Accepted Answer

The Financial Action Task Force (FATF) and the FIC Act require accountable institutions to implement a Risk-Based Approach - meaning compliance resources and scrutiny must be proportionate to the actual money laundering and terrorist financing risk each client relationship presents. In practice, your institution must assess and document the risk profile of every client across factors including the nature of the business relationship, products and services used, geographic exposure, delivery channels, and the client's PEP or PIP status. These risk assessments must be maintained in your Risk Management and Compliance Programme (RMCP) and updated when material changes occur. KYCopilot's COMFORT Score™ provides a structured, percentage-based risk rating for every entity screened - covering all required risk dimensions with transparent, auditable reasoning - giving your compliance team a defensible score to anchor your RBA documentation and RMCP.

Question 5

How often are sanctions databases updated, and why does the refresh frequency matter?

Accepted Answer

KYCopilot's sanctions data is refreshed every 60 minutes across 12+ lists - including OFAC (US), UN Consolidated Sanctions, EU Sanctions, the FIC Targeted Financial Sanctions List (South Africa), the UK Sanctions List (UKSL), INTERPOL-UN Security Council Special Notices, the World Bank Debarred List, the Canadian Autonomous Sanctions List, SECO (Switzerland), the US DEA List, and the US Denied Persons List. Refresh frequency matters because sanctions designations can happen without warning - a client who was clean at onboarding may be listed within hours of a geopolitical event or regulatory decision. Institutions relying on weekly or monthly database updates carry an exposure window during which they may unknowingly transact with a newly designated party - a sanctions violation regardless of intent. Real-time refresh is the only defensible approach under FICA's ongoing Customer Due Diligence obligations.

Question 6

What is adverse media screening and is it a legal obligation under FICA?

Accepted Answer

Adverse media screening - the systematic review of global news and media sources for evidence of a client's involvement in financial crime, corruption, terrorism, trafficking, fraud, or other risk categories - is not merely best practice. The Financial Action Task Force, whose standards South Africa's FICA framework implements, treats adverse media screening as a required component of a compliant Customer Due Diligence and Enhanced Due Diligence programme. Relying solely on sanctions lists and PEP databases leaves significant risk intelligence gaps that the FIC expects accountable institutions to address. KYCopilot screens across 22 adverse media categories - including corruption, financial crime, regulatory breaches, ESG controversies, cybersecurity incidents, and court records - using AI-powered analysis. Critically, KYCopilot also surfaces probable absolution signals, ensuring a balanced assessment that does not penalise clients for allegations that were later disproven or withdrawn.

Question 7

Can KYCopilot reports be used as documentary evidence during a FIC inspection?

Accepted Answer

Yes. KYCopilot reports are structured to meet the documentary standards expected during a Financial Intelligence Centre inspection or regulatory review. Each report includes source citations linked to original materials, a transparent risk rationale explaining how each risk score was derived, a named list of screening databases checked, and a clear audit trail of the search. The FIC does not mandate a specific tool or report format - it requires that your institution demonstrate that due diligence was conducted, that its depth was proportionate to the risk level identified, and that records are retained for the period prescribed under Section 28. KYCopilot reports satisfy all three requirements. They are fully exportable as structured documents, making them straightforward to archive against your record-keeping obligation and present to auditors or supervisors on request.

Question 8

What does POPIA require when collecting CDD data, and does it conflict with FICA?

Accepted Answer

The Protection of Personal Information Act (POPIA) and the Financial Intelligence Centre Act impose overlapping but reconcilable obligations. POPIA requires institutions to collect only the minimum personal information necessary for a specified, lawful purpose - which appears to conflict with FICA's requirement to gather comprehensive CDD information including identity documents, source of wealth evidence, and business relationship context. However, POPIA provides a direct exception: personal information may be processed where it is necessary to comply with a legal obligation. FICA's CDD requirements constitute precisely that obligation, enabling your institution to collect and process required due diligence data on that basis. The key constraint is proportionality - collect what FICA requires, not more - and comply with Section 28's five-year retention limit, after which data must be deleted absent a separate lawful retention basis. KYCopilot processes only the data required to execute FICA-mandated screening.

Question 9

What is KYB (Know Your Business) and how does it differ from KYC in South Africa?

Accepted Answer

KYB (Know Your Business) is the process of verifying the identity, ownership structure, legal standing, and risk profile of a legal entity — such as a company, trust, partnership, or close corporation — before and throughout a business relationship. KYC (Know Your Customer), by contrast, applies to natural persons: confirming an individual's identity and assessing their personal risk. The distinction matters because legal entities introduce a layer of complexity that individual verification does not. A company may have layered ownership structures, nominee directors, multiple beneficial owners, and subsidiaries across different jurisdictions. Under FICA, accountable institutions must apply the KYB framework when their client is a legal entity — identifying and verifying the entity itself, its authorised representatives, and the natural persons who ultimately own or control it. A compliant KYB programme requires more than a CIPC registration check: it demands beneficial ownership resolution, sanctions and adverse media screening on all connected persons, and ongoing monitoring for material changes to the entity's structure or risk profile. KYCopilot supports both KYB and KYC within the same workflow, resolving entity structures and scoring risk across all constituent persons and related entities in a single, source-cited report.

Question 10

What is beneficial ownership under FICA and how deep must the ownership chain be traced?

Accepted Answer

Under FICA and the Companies Act, a beneficial owner is any natural person who ultimately owns or exercises effective control over a legal entity. FICA requires accountable institutions to identify every natural person who directly or indirectly owns or controls 25% or more of the shares or voting rights in a client entity, or who otherwise exercises effective control — such as the ability to appoint the majority of directors or control the board. The obligation does not stop at the first layer of ownership. If a company is owned by a holding company, the accountable institution must trace through the holding company structure to identify the natural persons behind it, continuing until all natural persons meeting the 25% threshold are identified and verified. In practice, this means resolving complex group structures, nominee arrangements, and trust relationships to their ultimate natural person controllers. The FIC's guidance is clear: an inability to identify the beneficial owner is not a satisfactory conclusion — it constitutes an elevated risk that must be addressed, potentially requiring EDD or, in some circumstances, declining the relationship entirely. KYCopilot's I2G™ intelligence tool maps directorship networks and related-entity relationships to help compliance teams resolve ownership chains systematically, with full audit documentation at each node.

Question 11

What is a Risk Management and Compliance Programme (RMCP) under FICA and what must it contain?

Accepted Answer

A Risk Management and Compliance Programme (RMCP) is a documented framework that every accountable institution under FICA is legally required to develop, implement, and maintain. It is the foundational document demonstrating how your institution identifies, assesses, monitors, and mitigates the money laundering, terrorist financing, and proliferation financing risks specific to your business. Under FIC Act regulations, an RMCP must contain: a documented risk assessment of the institution's products, services, client types, delivery channels, and geographic exposures; policies and procedures for Customer Due Diligence, Enhanced Due Diligence, and Simplified Due Diligence proportionate to risk; processes for identifying and verifying clients, beneficial owners, and authorised representatives; procedures for ongoing monitoring of business relationships and transactions; a record-keeping framework compliant with Section 28; an employee training programme; an independent audit and review mechanism; and escalation procedures for suspicious activity reporting. The RMCP must be reviewed at minimum annually and updated when the FIC issues new guidance or when material changes occur in the institution's risk profile or business model. During a FIC inspection, the RMCP is the first document requested — its absence or inadequacy is one of the most consistent bases for enforcement action across all Schedule 1 sectors.

Question 12

What are South Africa's record-keeping requirements under Section 28 of FICA?

Accepted Answer

Section 28 of the Financial Intelligence Centre Act requires accountable institutions to retain all records relating to Customer Due Diligence, business transactions, and account files for a minimum of five years. The five-year retention clock runs from the date the business relationship ends, the date a transaction is concluded, or the date the last entry is made in the record — whichever is latest. Records that must be retained include: all CDD documentation collected at onboarding and during ongoing monitoring, including identity documents, beneficial ownership records, and source of wealth evidence; a record of every transaction conducted with or on behalf of a client, including its nature, date, and value; correspondence and reports relating to the relationship; and any EDD reports produced during the relationship. Records must be maintained in a form that allows prompt retrieval upon request from the FIC, SARB, or relevant supervisory body. Storing records exclusively on overseas servers without accessible local retrieval may create a compliance gap. After the five-year period expires, records must generally be deleted absent a separate lawful retention basis under POPIA. KYCopilot reports are fully exportable as structured documents, making them straightforward to archive, retrieve, and present to auditors against the Section 28 obligation.

Question 13

What is the difference between Standard CDD, Simplified CDD, and Enhanced Due Diligence (EDD) under FICA?

Accepted Answer

FICA's risk-based approach requires accountable institutions to calibrate the depth of their due diligence to the level of money laundering and terrorist financing risk a client relationship presents, resulting in three tiers. Standard Customer Due Diligence (CDD) is the default baseline: identifying and verifying the client's identity, understanding the nature and purpose of the relationship, and conducting ongoing monitoring proportionate to the risk. It applies when no specific indicators elevate or reduce the inherent risk. Simplified Due Diligence (SDD) may only be applied where the FIC Act or its regulations specifically permit it — for categories of clients or products that carry demonstrably lower risk, such as certain government entities or qualifying low-value insurance products. Critically, SDD is not a unilateral decision: it requires a documented justification and cannot be applied simply because a client is familiar or long-standing. Enhanced Due Diligence (EDD) is required — not merely recommended — when a relationship presents elevated risk indicators: PEP or PIP status, connections to high-risk or FATF grey-listed jurisdictions, complex or opaque ownership structures, or circumstances where source of wealth cannot be readily established. EDD demands a deeper investigation, a documented risk rationale, senior management sign-off in the most elevated cases, and more frequent ongoing review. KYCopilot generates full EDD reports covering all required risk dimensions in under five minutes, with complete source citations.

Question 14

Can AI-generated compliance reports satisfy FICA documentation requirements?

Accepted Answer

Yes — provided the AI system meets the evidentiary standards the FIC and supervisory bodies apply when reviewing compliance records. The FIC Act does not mandate a specific format or methodology for compliance documentation. It requires that due diligence was conducted, that its depth was proportionate to the risk identified, that the reasoning is documented, and that records are retained for the Section 28 period. An AI-generated report satisfies these requirements where it identifies the specific databases and sources checked along with their last-updated dates; provides a traceable rationale for each risk conclusion rather than an opaque score; cites original source material that an auditor can independently verify; and is retained in a retrievable format. The critical distinction is between AI systems that generate verified, source-cited outputs and those that produce unverifiable summaries based on reasoning that cannot be inspected or audited — the latter create significant compliance exposure regardless of how plausible the output appears. KYCopilot reports are built specifically around FICA's documentary requirements: every risk finding links to its source, every screening database checked is named, and the COMFORT Score™ is derived from a transparent, auditable methodology. The output is a structured document designed to be presented directly to auditors and supervisory bodies.

Question 15

What is the difference between rule-based sanctions screening and AI-powered risk assessment?

Accepted Answer

Rule-based sanctions screening applies fixed logic: a name is checked against a designated list, and a match or no-match is returned based on string similarity thresholds. It is fast, predictable, and well-understood — and it is the minimum standard for sanctions compliance. Its limitation is that it operates in isolation: it does not assess associations, context, or the network of relationships surrounding a subject. AI-powered risk assessment extends the analysis beyond list-matching to contextual intelligence. Rather than asking only whether a name appears on a list, an AI system asks: what is known about this entity across sanctions databases, adverse media, court records, regulatory actions, and corporate relationships? How do those signals combine into a coherent risk picture? Are there association risks — directors shared with sanctioned entities, suppliers with regulatory breaches, networks with known financial crime links — that pure list-matching would miss entirely? The practical consequence is that rule-based screening catches designated parties; AI-powered assessment catches the risk that surrounds them, which is often where the actual exposure sits. KYCopilot combines both: real-time sanctions screening across 12+ lists refreshed every 60 minutes, with AI-powered contextual analysis across 22 risk categories, producing a single COMFORT Score™ that integrates all signals into a defensible, source-cited risk rating.

Question 16

What does South Africa's exit from the FATF grey list mean for compliance teams?

Accepted Answer

South Africa was placed on the FATF grey list in February 2023, signalling strategic deficiencies in its AML and counter-terrorism financing framework. Removal in 2025 followed sustained legislative reform, increased FIC enforcement, and demonstrated progress against FATF's action plan. For compliance teams, the exit carries three practical implications. First, the automatic risk uplift that grey-list status triggered — requiring enhanced due diligence for all South African counterparties under many foreign institutions' policies — will progressively unwind as global firms update their country risk frameworks. Second, the regulatory posture that achieved the exit has not relaxed: the FIC and SARB have signalled clearly that enforcement intensity will be maintained. The grey list exit was earned through tighter supervision, not looser standards. Third, compliance teams should update their country risk assessments and RMCP documentation to reflect South Africa's changed FATF status — both to accurately reflect reduced inherent risk and to demonstrate to auditors that the assessment is actively maintained rather than static. Failure to update risk ratings after a jurisdiction's FATF status changes is itself an indicator of inadequate ongoing monitoring. KYCopilot's Country Risk module is updated in line with FATF evaluations, providing current risk ratings across 200+ jurisdictions.

Question 17

What FICA obligations apply to crypto asset service providers (CASPs) in South Africa?

Accepted Answer

Crypto asset service providers were added to Schedule 1 of the Financial Intelligence Centre Act in 2022, making them accountable institutions subject to the full suite of FICA obligations. A CASP is any person who, as a regular feature of their business, exchanges crypto assets for fiat currency or other crypto assets, transfers crypto assets, provides custodial wallet services, participates in or facilitates token offerings, or provides financial services relating to a crypto asset issuer. As a Schedule 1 accountable institution, a CASP must develop and implement a compliant RMCP; conduct Customer Due Diligence on all clients at onboarding, including identity verification and beneficial ownership where the client is an entity; apply Enhanced Due Diligence for elevated-risk clients including PEPs and those connected to high-risk jurisdictions; screen against sanctions lists before executing transactions; report suspicious and unusual transactions to the FIC; and retain all records for the Section 28 period. The crypto sector has been a priority focus for FIC supervision since 2023, with a number of CASPs receiving supervisory notices for incomplete RMCP documentation and inadequate Customer Due Diligence at onboarding. CASPs are also subject to FSCA licensing requirements, and supervisory bodies increasingly cross-reference findings. KYCopilot's screening and EDD capabilities apply directly to CASP onboarding and ongoing monitoring workflows.

Question 18

How often must CDD records be reviewed and updated under FICA's ongoing monitoring obligation?

Accepted Answer

FICA does not prescribe a fixed review interval. Instead, it requires accountable institutions to apply a risk-proportionate approach to ongoing monitoring, which means your RMCP must specify review frequencies calibrated to your client risk tiers. A widely adopted framework is: high-risk clients — including PEPs, PIPs, and EDD-rated relationships — reviewed at minimum annually or when a material trigger event occurs; medium-risk clients reviewed every two to three years; lower-risk clients reviewed every three to five years. Trigger-based reviews are equally important and cannot be replaced by periodic reviews alone. A client relationship must be re-assessed whenever a material change occurs: a change in directors or beneficial owners, a new sanctions designation, adverse media surfacing, a significant change in transaction behaviour, or the client entering a new business line or jurisdiction. The FIC's enforcement guidance has been consistent that periodic re-verification is not merely best practice — it is a legal obligation under the ongoing CDD provisions of the Act. Compliance teams relying solely on onboarding due diligence without a structured review programme are in breach of FICA regardless of how thorough their initial checks were. KYCopilot's continuous monitoring capability flags changes to sanctions status, adverse media, and directorship in real time, ensuring records remain current between formal review cycles without requiring manual re-screening.

Your compliance questions, answered.

Join 500+ professionals & claim your starter credits today.