KYC for South African Fintechs: Compliance Guide

Which Fintechs Are Accountable Institutions?

Schedule 1 of FICA lists the categories of accountable institution. Fintechs typically fall into one or more of the following categories: banks (if licensed under the Banks Act), money remitters, payment service providers, crypto asset service providers, and persons who carry on the business of lending money against security. The FSCA and SARB have issued guidance confirming that digital-only and app-based providers are subject to the same FICA obligations as traditional financial institutions.

If your fintech holds a licence from the FSCA or SARB, you are an accountable institution. If you are operating under an exemption or in a regulatory sandbox, you should obtain legal advice on your specific FICA obligations.

Digital Onboarding and eKYC

The 2017 FICA amendments and subsequent FIC guidance explicitly permit digital identity verification — sometimes called eKYC. Fintechs may verify customer identity using electronic means, provided the verification is reliable and the fintech can demonstrate that the verification method produces results equivalent to in-person verification.

In practice, acceptable digital verification methods include: biometric verification against the Department of Home Affairs database, liveness detection combined with document scanning, and verification through a trusted third-party identity verification service. The introduction of South Africa's new digital ID system is expected to significantly simplify eKYC for fintechs by providing a government-issued digital credential that can be verified in real time.

Fintechs must document their eKYC methodology and be able to demonstrate to the FIC that their verification process is robust. Simply scanning a photo of an ID document without any liveness check or database verification is unlikely to meet the standard.

The Risk-Based Approach for Fintechs

The risk-based approach is particularly important for fintechs because their customer base and transaction patterns often differ significantly from traditional banks. A peer-to-peer lending platform has a different risk profile from a cross-border remittance service. Fintechs must conduct a documented risk assessment of their specific business model, customer base, and product set.

Key risk factors for fintechs include: the anonymity of digital channels, the speed of digital transactions, cross-border payment flows, the use of cryptocurrency, and the difficulty of verifying the identity of customers who never appear in person. The risk assessment must be reviewed at least annually and updated when the business model changes.

CDD Requirements for Fintech Customers

Customer Due Diligence (CDD) for fintechs covers the same core obligations as for banks: identity verification, beneficial ownership identification, understanding the business relationship, and ongoing monitoring. The key difference is the delivery channel — fintechs must achieve these outcomes through digital means.

For individual customers, fintechs must verify full name, date of birth, identity number, and residential address. For business customers, fintechs must verify the registered name, registration number, and the identity of all beneficial owners. Fintechs must also screen customers against sanctions lists and PEP databases at onboarding and on an ongoing basis.

Crypto Asset Service Providers

Crypto asset service providers (CASPs) were added to Schedule 1 of FICA in 2022, making them accountable institutions subject to full KYC obligations. CASPs must verify the identity of all customers, apply the Travel Rule to crypto transfers above the applicable threshold (South Africa has not yet published a specific rand threshold; monitor FIC guidance), and report suspicious transactions to the FIC. The FSCA has issued guidance on CASP registration and compliance requirements.

Penalties for Non-Compliance

The FIC can impose administrative sanctions on non-compliant fintechs, including financial penalties of up to R10 million per contravention. The FSCA and SARB can also take licensing action, including suspending or revoking a fintech's licence. Reputational damage from a public sanction can be fatal for a fintech that depends on customer trust.

Frequently Asked Questions

Can a South African fintech rely entirely on digital identity verification?

Yes, provided the digital verification method is reliable and produces results equivalent to in-person verification. The FIC has issued guidance confirming that electronic verification is acceptable. Fintechs must document their methodology and be able to demonstrate its robustness.

Does FICA apply to fintechs that only operate in South Africa?

Yes. FICA applies to all accountable institutions that carry on business in South Africa, regardless of whether they also operate internationally.

What is the Travel Rule and does it apply to South African fintechs?

The Travel Rule requires virtual asset service providers to share originator and beneficiary information when transferring crypto assets above a specified threshold. South Africa has committed to implementing the FATF Travel Rule. CASPs should monitor FIC guidance for the applicable threshold and implementation timeline.

Do fintechs need a compliance officer?

FICA requires accountable institutions to appoint a compliance officer responsible for ensuring compliance with the Act. For smaller fintechs, this role may be filled by a senior manager rather than a dedicated compliance professional, but the obligation exists regardless of company size.

How often must a fintech review its customer risk ratings?

There is no fixed statutory interval. The risk-based approach requires fintechs to review customer risk ratings when there is a material change in the customer's circumstances or transaction patterns, and as part of the fintech's periodic review of its overall risk assessment.