FSCA AML Compliance for South African Financial Institutions: 2026 Regulatory Framework

Introduction: South Africa's AML/CFT Landscape After the FATF Grey List Exit

On 24 October 2025, South Africa was officially removed from the Financial Action Task Force (FATF) Grey List  a landmark achievement that recognized the significant Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) compliance investment made by South Africa's financial sector, government, and regulatory bodies since 2023.

But grey list removal has not meant regulatory relaxation. The Financial Sector Conduct Authority (FSCA) and the Financial Intelligence Centre (FIC) have, if anything, intensified their supervisory focus in the post-grey-list period. 2025 saw a significant increase in FSCA compliance inspections, administrative penalties against non-compliant financial services providers (FSPs), and enforcement actions for FICA violations.

For South African banks, fintechs, insurers, asset managers, and other accountable institutions, 2026 represents a period of heightened regulatory accountability,  one in which the expectation is not just technical AML/CFT compliance but genuinely effective programs that produce meaningful financial intelligence.

This guide provides a complete overview of South Africa's AML/CFT compliance framework, the FSCA's role, FICA requirements, and what financial institutions must do to achieve and maintain compliance in 2026.

South Africa's AML/CFT Regulatory Architecture

1. The Financial Intelligence Centre Act (FICA)

The Financial Intelligence Centre Act 38 of 2001, as substantially amended by the Financial Intelligence Centre Amendment Act 1 of 2017, is the cornerstone of South Africa's AML/CFT framework. FICA established the Financial Intelligence Centre (FIC) and created the obligations that "accountable institutions"  a defined list of regulated business types  must comply with. FICA aligns with the FATF's 40 Recommendations and adopts a risk-based approach as its foundational AML/CFT compliance philosophy.

2. The Financial Intelligence Centre (FIC)

The Financial Intelligence Centre is South Africa's financial intelligence unit, established under FICA. The FIC:

1. Receives, analyses, and disseminates financial intelligence (including Suspicious Transaction Reports and Cash Threshold Reports)

2. Issues Guidance Notes and Public Compliance Communications (PCCs) interpreting FICA obligations

3. Conducts inspections and issues administrative sanctions for FICA non-compliance

4. Co-operates with INTERPOL, FATF, and foreign financial intelligence units as part of the global AML/CFT network

The FIC has issued substantial administrative penalties against accountable institutions,  including a R2.16 billion collective fine against 23 banks in 2022 for beneficial ownership deficiencies,  making it clear that FICA enforcement is financially consequential.

3. The Financial Sector Conduct Authority (FSCA)

The FSCA is South Africa's market conduct regulator, established under the Financial Sector Regulation Act (FSRA) 2017. For AML/CFT purposes, the FSCA:

1. Supervises the AML/CFT compliance of Financial Services Providers (FSPs), collective investment schemes, retirement funds, and other FSCA-regulated entities

2. Conducts on-site inspections assessing FICA compliance

3. Imposes administrative penalties and debarment for non-compliance

4. Collaborates with the FIC on enforcement

4. The Prudential Authority (PA)

The Prudential Authority (housed within the South African Reserve Bank) supervises the AML/CFT compliance of banks, mutual banks, cooperative banks, insurers, and other prudentially regulated entities  including FICA compliance.

5. South African Reserve Bank (SARB) / National Payment System

The SARB provides overarching oversight of the financial system and issues guidance through the Banking Supervision Department on AML/CFT risk management expectations for banks.

Interesting read: Challenges of Digital Identity Verification in South Africa

Who is an Accountable Institution Under FICA?

FICA Schedule 1 defines "accountable institutions" as businesses in specific sectors with elevated money laundering and terrorist financing risk exposure. In South Africa, accountable institutions include the following:

• Commercial banks, mutual banks, and co-operative banks
• Long-term and short-term insurers
• Collective investment scheme managers
• Estate agents
• Attorneys and notaries (when handling client funds)
• Accountants and auditors (for certain services)
• Gambling institutions
• Motor vehicle dealers
• Crypto asset service providers (CASPs)  added by the 2022 FICA amendment
• Exchange control dealers
• Companies and close corporations providing financial services

For the fintech sector, this means banking-as-a-service platforms, payment service providers, digital lending platforms, crypto exchanges, remittance operators, and insurtech firms are all potentially accountable institutions with full FICA AML/CFT obligations.

Interesting read: KYC Requirements South Africa: A Simplified Guide for 2026

Core FICA AML/CFT Obligations for Accountable Institutions

1. Risk and Compliance Management Programme (RCMP)

Every accountable institution must develop and implement a documented Risk and Compliance Management Program (RCMP), the South African equivalent of an AML/CFT program. The RCMP must:

1. Be based on a documented risk assessment covering the institution's customer base, products, channels, and geographies

2. Be approved at the board or equivalent senior management level

3. Be reviewed at least annually or whenever material changes occur

4. Document all AML/CFT policies, procedures, and controls

5. Include a training program with documented delivery

2. Customer Due Diligence (CDD)  FICA Sections 21–21H

At the commencement and throughout the duration of a business relationship, accountable institutions must perform the following CDD measures as part of their AML/CFT obligations:

1. Standard CDD

1. Establish and verify the identity of the client (natural person or legal person)

2. Identify and verify the beneficial owners of legal persons

3. Understand the nature and purpose of the business relationship

4. Understand the source of funds

2. Enhanced Due Diligence (EDD)

Required for high-risk customers, including:

1. Domestic and foreign politically exposed persons (PEPs) and their family members and known associates

2. Customers in or from high-risk jurisdictions (those on FATF grey or black lists)

3. Customers with complex ownership structures or opaque beneficial ownership

4. Non-face-to-face business relationships

3. Simplified Due Diligence (SDD)

Permitted for low-risk products and customers where the FIC has issued specific guidance.

3. Beneficial Ownership  Post-2025 Focus Area

Following South Africa's grey list removal, beneficial ownership identification has emerged as the top FSCA/FIC AML/CFT inspection priority. Accountable institutions must:

• Identify and verify all natural persons holding ≥5% of a legal person's shares or voting rights
• Document ownership chains for complex structures
• Screen beneficial owners against sanctions and PEP lists
• Update beneficial ownership information when material changes occur

The Companies and Intellectual Property Commission (CIPC) maintains a beneficial ownership register (effective November 2023), and institutions must leverage this data in their KYB programs.

4. Transaction Monitoring

FICA requires accountable institutions to monitor business relationships on an ongoing basis as a core element of an effective AML/CFT program. Effective transaction monitoring in South Africa must:

1. Track transactions for patterns inconsistent with the institution's knowledge of the client

2. Detect transactions that may indicate money laundering, terrorist financing, or proliferation financing

3. Flag transactions involving high-risk jurisdictions, sanctioned parties, or unusual transaction structures

4. Feed into suspicious transaction assessment and reporting workflows

5. Suspicious Transaction Reporting (STR)  FICA Section 29

When an accountable institution knows, suspects, or has reason to suspect that a transaction involves money laundering or terrorist financing, it must file a Suspicious Transaction Report (STR) with the FIC even if the transaction is not completed. Key requirements:

1. STRs must be filed "immediately." The FIC interprets this as within 15 working days of the suspicion forming, but same-day or next-day filing for ongoing transactions is expected

2. No "tipping off":  the institution may not inform the customer that an STR has been filed

3. STRs are filed via the FIC's online goAML platform; registration is mandatory

4. STR quality is a key examination metric; poorly drafted STRs with insufficient intelligence content attract adverse findings

6. Cash Threshold Reports (CTR)  FICA Section 28

Accountable institutions must file a Cash Threshold Report (CTR) for any cash transaction of R49,999 or more. This applies to both cash received and cash paid out. CTRs are a key data source for AML/CFT financial intelligence and must be filed via the goAML platform.

7. Record Keeping  FICA Sections 22–23

All records relating to CDD, transactions, and STRs must be kept for a minimum of 5 years from the date of the transaction or the end of the business relationship (whichever is later). Records must be readily accessible for FIC and FSCA examination.

FSCA AML/CFT Inspection Focus Areas in 2026

FSCA AML/CFT inspections in 2026 concentrate on the following priority areas:

Post-Grey-List: What Changed for South African Financial Institutions?

South Africa's October 2025 FATF grey list exit was conditional on demonstrated effectiveness,  not just technical AML/CFT compliance. The FATF assessed South Africa's AML/CFT system on 40 technical compliance criteria and 11 effectiveness outcomes. This distinction matters enormously for institutions:

1. Technical compliance means having the right policies, procedures, and systems in place

2. Effectiveness means those systems produce genuine financial intelligence, detect real money laundering and terrorist financing activity, and lead to investigations, prosecutions, and confiscations

South African regulators are now expected to maintain and demonstrate effectiveness,  meaning they will assess whether your AML/CFT program actually works, not just whether you have one. For institutions, this means STR quality, investigation depth, and measurable risk reduction are scrutinized far more rigorously than under a technical-only framework.

Also read: KYC in South Africa: User Verification and Compliance

South Africa AML/CFT Compliance Checklist for Banks and Fintechs (2026)

1. Legal and Governance

• FICA Risk and Compliance Management Programme (RCMP) documented and board-approved
• Compliance officer designated with documented authority
• Annual AML/CFT risk assessment conducted and documented

2. Customer Due Diligence

• CDD procedures in place for all accountable institution activities
• EDD procedures for PEPs, high-risk jurisdictions, and complex structures
• Beneficial ownership identification (≥5% threshold), CIPC cross-referencing
• Ongoing CDD monitoring implemented

3. Transaction Monitoring

• Automated transaction monitoring system deployed
• Rules calibrated to institution's AML/CFT risk profile
• False positive rate documented and managed

4. Reporting

• goAML platform registration active
• STR filing procedures documented and tested
• CTR reporting for cash transactions R49,999
• Record retention for ≥5 years confirmed

5. FSCA Readiness

• Last FSCA/FIC AML/CFT inspection findings reviewed and remediated
• Examination-ready documentation available: RCMP, training records, CDD files, STR log
• Crypto asset AML/CFT compliance programme in place (if CASP)

How Youverify Supports South African AML/CFT Compliance

Youverify's compliance platform includes capabilities designed for the South African AML/CFT regulatory environment: Read more here: Youverify South Africa API documentation.

1. CIPC KYB integration  automated business verification against CIPC's beneficial ownership register

2. SmartID verification:  real-time identity verification against South African national ID databases

3. FIC sanctions list screening:  continuous screening against FIC, OFAC, UN, and EU lists to meet AML/CFT obligations

4. Transaction monitoring  pre-configured rules reflecting South African payment patterns and CTR thresholds

5. goAML-compatible STR reporting  automated generation of FIC-format STRs
 

Conclusion

South Africa's AML/CFT compliance environment in 2026 is defined by one overriding expectation: effectiveness, not just technical compliance. The FATF grey list exit was a milestone, not a finish line. FSCA and FIC inspections are intensifying, beneficial ownership requirements are tightening, and institutions that rely on outdated, manual, or box-ticking anti-money laundering and countering the financing of terrorism programs face growing enforcement risk.

For South African banks, fintechs, insurers, and CASPs, the path forward requires investment in modern AML/CFT technology,  real-time transaction monitoring, automated CDD and KYB, CIPC-integrated beneficial ownership verification, and goAML-compatible STR reporting.

Youverify's FICA-aligned AML/CFT compliance platform helps South African institutions build genuinely effective programs,  not just compliant ones,  with the data integrations, automation, and regulatory intelligence needed to satisfy FIC and FSCA scrutiny in 2026 and beyond. To get started, book a free demo with youverify today.

Other interesting reads: SRD Status Check Payment Approved: What It Means

About the Author