Financial Intelligence Centre Act

    South Africa

    Financial Intelligence Centre Act

    The Financial Intelligence Centre Act 38 of 2001 (‘the Act’) aims to: 

    • impose certain duties on institutions and other persons who might be used for money laundering and the financing of terrorism purposes; 
    • provide for customer due diligence measures; and 
    • provide for a riskbased approach to client identification and verification within risk management and compliance programmes, as well as for governance and training relating to antimoney laundering and counter terrorist financing (‘AML/CTF’). 

    Last Updated: July 30, 2019

  • Requirements

    An accountable institution (which is defined, in accordance with section 1(1) of the Act, as any person referred to in Schedule 1 of the Act) is prohibited to establish a business relationship or conclude a single transaction with an anonymous client or a client with an apparent false or fictitious name (section 20(a) of the Act).  

    When an accountable institution engages with a prospective client to enter into a single transaction or to establish a business relationship, it must (section 21(1) of the Act): 

    • establish and verify the identity of the client; 
    • if the client is acting on behalf of another person, establish and verify the identity of that other person and the client’s authority to establish the business relationship or to conclude the single transaction on behalf of that other person; 
    • if another person is acting on behalf of the client, establish and verify the identity of that other person and the other person’s authority to act on behalf of the client. 

    An accountable institution must also obtain information to determine whether future transactions are consistent with the institution’s knowledge of that prospective client. In particular, the collected information shall concern (section 21(a) of the Act): 

    • the nature of the business relationship; 
    • the intended purpose of the business relationship; and 
    • the source of the funds which that prospective client expects to use in concluding transactions in the course of the business relationship. 

    When the engaged client is a legal person, the accountable institution, in addition to the obligations under section 21(1) and 21(a) of the Act, must (section 21(b)(2) of the Act): 

    • establish the identity of the beneficial owner of the client; and 
    • take reasonable steps to verify the identity of the beneficial owner of the client, so that the accountable institution is satisfied that it knows who the beneficial owner is.

    Moreover, an accountable institution must also conduct ongoing due diligence in respect of a business relationship. In particular, the requested ongoing due diligence include the following activities (section 21(c) of the Act): 

    • monitoring of transactions undertaken throughout the course of the relationship, such as the source of funds, the background and purpose of all large transactions, and all unusual patterns of transactions; and 
    • keeping information obtained for the purpose of establishing and verifying the identities of clients pursuant to sections 21, 21(a) and 21(b) of the Act, up-to- date.

    When an accountable institution is not able to adhere with the obligations provided by sections 21, 21(a), 21(b) or 21(c) of the Act, it may not establish a business relationship or conclude a transaction and must terminate the existing business relationship (section 21(e) of the Act). 

    When an accountable institution is required to obtain information pertaining to a client or prospective client pursuant to sections 21 to 21(H) of the Act, it must keep a record of that information (section 22(1) of the Act). 

    An accountable institution must also keep a record of every transaction, whether single or concluded in the course of a business relationship (section 22(a)(1) of the Act). 

    Records provided by sections 22 and 22(a) of the Act may be kept by a third party on behalf of the accountable institution, as long as the accountable institution, as well as the Financial Intelligence Centre (‘FIC’) have free and easy access to the records (section 24(1) of the Act). Furthermore, ithe third party fails to properly comply with the requirements of sections 22 and 22(a), the accountable institution shall be deemed liable for that failure (section 24(2) of the Act).  

    A person who carries on a business or is in charge of or manages a business or who is employed by a business and who knows or ought reasonably to have known or suspected that: 

    • the business has received or is about to receive the proceeds of unlawful activities or property which is connected to an offence relating to the financing of terrorist and related activities; 
    • a transaction or series of transactions to which the business is a party, among other things: facilitated or is likely to facilitate unlawful activities connected to an offence relating to the financing of terrorist and related activities;  has no apparent business or lawful purpose;  is conducted for the purpose of avoiding giving rise to a reporting duty under the Act;  may be relevant to the investigation of an evasion or attempted evasion of a duty to pay any tax, duty or levy imposed by legislation administered by the Commissioner for the South African Revenue Service; relates to an offence relating to the financing of terrorist and related activities; or  
    • the business has been used or is about to be used in any way for money laundering purposes or to facilitate the commission of an offence relating to the financing of terrorist and related activities, 

    must report to the FIC the grounds for the knowledge or suspicion and the prescribed particulars concerning the transaction or series of transactions (section 29(1) of the Act). 

    In addition, an accountable institution must develop, document, maintain and implement a programme for AML/CTF management and compliance (section 42(1) of the Act). 

    The programme shall contain the requirements listed in section 42(2) of the Act. 

    An accountable institution must also provide ongoing training to its employees to enable them to comply with the provisions of the Act and the programme which are applicable to them (section 43 of the Act) 

    The board of directors of an accountable institution which is a legal person with a board of directors, or the senior management of an accountable institution without a board of directors, must ensure compliance by the accountable institution and its employees with the provisions of the Act (section 42(a)(1) of the Act).  

    Every accountable institution must register with the FIC within the prescribed term (section 43(b)(1) of the Act). 

    User guides published by FIC are available here. 

  • How OneTrust Helps

    OneTrustVendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews. 

    Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrustVendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions. 

    For additional details on Vendorpedia, read more here. 

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.