Digital KYC: How South Africa's New Digital ID Changes Verification

The Current State of Digital Verification in South Africa

South Africa's Department of Home Affairs operates the National Population Register (NPR) and the Home Affairs National Identification System (HANIS), which store biometric and identity data for all South African citizens and permanent residents. Accountable institutions can verify identity documents against these databases through authorised verification services.

The FIC has confirmed that electronic identity verification — where an institution verifies a customer's identity document against an authoritative government database — is an acceptable method of KYC verification under FICA. This has enabled fintechs and digital banks to onboard customers entirely online, without requiring physical document submission.

However, the current system has limitations. Database verification confirms that an identity number matches a name and date of birth, but it does not confirm that the person presenting the document is the person to whom it was issued. Liveness detection and biometric matching are increasingly required to close this gap.

South Africa's Digital Identity Programme

The Department of Home Affairs has been developing a digital identity system that would allow South Africans to use a government-issued digital credential — stored on a smartphone or other device — to prove their identity online. This system, sometimes referred to as the Digital Identity Framework, is designed to enable secure, privacy-preserving identity verification without the need to share a physical document.

The digital identity programme is intended to support several use cases relevant to KYC: remote customer onboarding, ongoing identity verification, and the sharing of verified identity attributes (such as name, date of birth, and address) with accountable institutions without exposing the full identity document. The programme is expected to significantly reduce the cost and friction of KYC for both institutions and customers.

Accountable institutions should monitor Department of Home Affairs announcements and FIC guidance for updates on the implementation timeline and the specific standards that will apply to digital identity verification.

What Is eKYC and Is It Permitted Under FICA?

eKYC (electronic Know Your Customer) refers to the use of digital means to verify a customer's identity. This includes: scanning and OCR of identity documents, biometric matching (comparing a selfie to the photo on an identity document), liveness detection (confirming the customer is a real person presenting themselves in real time), and database verification against government or credit bureau records.

FICA does not prescribe specific verification methods. It requires that verification be reliable and that the institution be able to demonstrate that its verification process produces results equivalent to in-person verification. The FIC has issued guidance confirming that eKYC is acceptable where these standards are met.

In practice, most South African banks and fintechs use a combination of document scanning, liveness detection, and Home Affairs database verification for digital onboarding. The specific combination of methods required will depend on the customer's risk rating — higher-risk customers may require more rigorous verification.

Biometric Verification and POPIA

Biometric data — including fingerprints, facial images, and voice recordings — is classified as special personal information under the Protection of Personal Information Act (POPIA). Accountable institutions that collect biometric data for KYC purposes must comply with POPIA's requirements for the processing of special personal information, including obtaining explicit consent and implementing appropriate security measures.

The interaction between KYC obligations under FICA and privacy obligations under POPIA is an important compliance consideration. Institutions must balance the need to collect sufficient information to verify identity against the obligation to minimise the collection of personal information. See our guide on KYC and POPIA for more detail.

Frequently Asked Questions

Can a South African bank verify a customer's identity entirely online?

Yes, provided the bank's digital verification process is reliable and produces results equivalent to in-person verification. Most South African banks and fintechs use a combination of document scanning, liveness detection, and Home Affairs database verification for digital onboarding.

Is a selfie sufficient for KYC verification?

A selfie alone is not sufficient. A selfie must be combined with liveness detection (to confirm the customer is a real person presenting themselves in real time) and matched against the photo on the identity document. The document must also be verified against an authoritative database.

What is liveness detection and why is it required?

Liveness detection is a technology that confirms a customer is a real, live person presenting themselves in real time, rather than a photograph or video replay. It is required to prevent identity fraud in digital onboarding processes.

Will South Africa's new digital ID replace the Smart ID card for KYC purposes?

The Department of Home Affairs intends for the digital identity system to be an alternative to the physical Smart ID card. Accountable institutions should monitor FIC guidance for confirmation that the digital credential is an acceptable form of identity verification under FICA.

Does POPIA restrict the collection of biometric data for KYC?

Yes. Biometric data is special personal information under POPIA. Institutions must obtain explicit consent before collecting biometric data and must implement appropriate security measures. The collection must be necessary for the purpose (KYC verification) and proportionate to that purpose.