The Three Gates Framework

Pillar Page — Banking Sector

KYC for South African Banks: A Complete Compliance Guide

Published 7 April 2026 · 12 min read · KYC Registry South Africa

·

South African commercial banks are among the most heavily regulated entities under the Financial Intelligence Centre Act 38 of 2001 (FICA). As accountable institutions, banks must verify the identity of every customer, understand the nature and purpose of every business relationship, and report suspicious transactions to the Financial Intelligence Centre (FIC). This guide explains exactly what KYC means for South African banks, what the law requires, and what happens when banks fall short.

South African bank KYC obligations flow from three primary sources. First, FICA (as amended by the Financial Intelligence Centre Amendment Act 1 of 2017) imposes customer identification, verification, and due diligence obligations on all accountable institutions, including banks. Second, the Banks Act 94 of 1990 and Regulation 39 thereunder impose additional governance and risk management obligations. Third, the South African Reserve Bank (SARB) issues Guidance Notes and Directives that interpret and supplement the statutory obligations.

The 2017 FICA amendments were transformative. They replaced the old rules-based approach — which required specific documents from specific customer types — with a risk-based approach. Banks must now assess the money laundering and terrorist financing risk of each customer and apply due diligence measures proportionate to that risk. Low-risk customers receive simplified due diligence; high-risk customers receive enhanced due diligence.

Who Must Comply

Every bank registered under the Banks Act and every mutual bank registered under the Mutual Banks Act is an accountable institution under Schedule 1 of FICA. This includes all commercial banks, savings banks, and branches of foreign banks operating in South Africa. Compliance obligations apply to the institution as a whole — not just the compliance department. Every employee who deals with customers is part of the KYC process.

Customer Due Diligence: What Banks Must Do

Under FICA Section 21, banks must establish and verify the identity of every customer before or as soon as reasonably practicable after establishing a business relationship. Customer Due Diligence (CDD) for banks covers four core obligations:

  1. Customer identification and verification. Banks must obtain and verify the full name, date of birth, identity number, and residential address of every natural person customer. For legal entities, banks must obtain the registered name, registration number, registered address, and the identity of all beneficial owners.
  2. Beneficial ownership identification. Banks must identify every natural person who owns or controls 5% or more (per FIC PCC 59) of a legal entity customer, either directly or indirectly. This includes identifying persons who exercise effective control through other means.
  3. Understanding the business relationship. Banks must understand the nature and intended purpose of the business relationship and the source of funds.
  4. Ongoing monitoring. Banks must monitor transactions throughout the business relationship to ensure they are consistent with the bank's knowledge of the customer and their risk profile.

Enhanced Due Diligence: High-Risk Customers

Enhanced Due Diligence (EDD) applies when a customer or transaction presents a higher risk of money laundering or terrorist financing. Banks must apply EDD to:

  • Politically Exposed Persons (PEPs). PEPs are individuals who hold or have held prominent public functions. Banks must obtain senior management approval before establishing a business relationship with a PEP and must apply enhanced ongoing monitoring.
  • Customers from high-risk jurisdictions. FATF-grey-listed countries, including South Africa itself (as seen from the perspective of foreign correspondent banks), require enhanced scrutiny.
  • Customers with complex ownership structures. Shell companies, trusts, and other structures that obscure beneficial ownership require additional investigation.
  • High-value or unusual transactions. Transactions that are inconsistent with the customer's known profile or that have no apparent economic purpose require investigation and may require a Suspicious Transaction Report (STR).

The Risk-Based Approach in Banking

The risk-based approach requires banks to develop a documented risk assessment of their customer base, products, delivery channels, and geographic exposure. This risk assessment must be reviewed regularly and updated when material changes occur. The risk assessment informs the bank's policies, procedures, and controls for managing money laundering and terrorist financing risk.

In practice, banks assign each customer a risk rating — typically low, medium, or high — based on factors including the customer's industry, transaction patterns, geographic location, and ownership structure. The risk rating determines the frequency and intensity of ongoing monitoring and the level of due diligence applied at onboarding and review.

Suspicious Transaction Reporting

Under FICA Section 29, banks must report any transaction that gives rise to a suspicion that it involves the proceeds of unlawful activities or is related to terrorist financing. A Suspicious Transaction Report (STR) must be submitted to the FIC as soon as possible after the suspicion arises. Banks must not tip off the customer that a report has been or will be made.

Penalties for Non-Compliance

The FIC Act empowers the FIC to impose administrative sanctions on accountable institutions that fail to comply with their KYC obligations. Sanctions include cautions, reprimands, directives to take remedial action, and financial penalties of up to R10 million per contravention. The SARB may also take supervisory action under the Banks Act, including revoking a bank's registration.

Frequently Asked Questions

Do South African banks need to re-verify existing customers?
Yes. Under the 2017 FICA amendments, banks must apply the new risk-based CDD standards to existing customers when the risk profile of the customer changes or when the bank reviews the relationship. Banks must also re-verify customers whose identity documents have expired.
What documents can a bank accept for identity verification?
Banks may accept a South African Smart ID card, a South African green ID book, or a valid South African passport for natural persons. For foreign nationals, a valid foreign passport or identity document is acceptable. The bank must verify the document against the Department of Home Affairs database where possible.
What is the difference between CDD and EDD for banks?
Standard CDD applies to all customers and involves identity verification, beneficial ownership identification, and ongoing monitoring. EDD applies to higher-risk customers and involves additional measures such as senior management approval, enhanced source-of-funds investigation, and more frequent monitoring.
Must banks identify beneficial owners of all corporate customers?
Yes. Banks must identify all natural persons who own or control a legal entity customer above the relevant threshold. For JSE-listed companies and their subsidiaries, simplified due diligence may apply in certain circumstances.
What happens if a bank cannot verify a customer's identity?
Under FICA Section 21(3), a bank must not establish a business relationship or conclude a single transaction if it cannot verify the customer's identity. If verification fails during an existing relationship, the bank must terminate the relationship and consider whether to file a Suspicious Transaction Report.

Your Next Step

Know your obligations. Act before the FIC does.

South Africa's FATF grey-list status means the FIC is actively inspecting accountable institutions. Use the KYC checklist to confirm your compliance posture before your next inspection.

Read the full KYC checklist for your sector