What is the KYC onboarding process?

The KYC onboarding process is the set of steps an accountable institution must complete before establishing a business relationship with a new customer. Under FICA, these steps include: customer identification, document collection, CDD verification, beneficial ownership identification, risk rating, sanctions screening, and (for high-risk customers) enhanced due diligence. The process must be completed before the business relationship is established or the first transaction is conducted.

What documents are required for KYC onboarding in South Africa?

For individual customers: a certified copy of a valid South African ID document or passport, and proof of residential address (not older than 3 months). For legal entities: company registration documents (COR14.3 or equivalent), proof of registered address, list of directors, and beneficial ownership documentation (identifying all natural persons holding ≥5% of the entity per FIC PCC 59).

What is risk rating in KYC onboarding?

Risk rating is the process of assessing the ML/TF/PF risk posed by a new customer based on their customer type, product usage, geographic connections, and delivery channel. The risk rating determines the level of due diligence applied: standard CDD for low-to-medium risk customers, and enhanced due diligence (EDD) for high-risk customers such as PEPs, customers from high-risk jurisdictions, and customers with complex ownership structures.

When is enhanced due diligence (EDD) required during onboarding?

EDD is required under FICA s.21C when the customer is: a politically exposed person (PEP) or a family member or close associate of a PEP; a customer from a FATF grey-listed or black-listed jurisdiction; a customer whose ownership structure is complex or opaque; or a customer whose source of funds or source of wealth cannot be readily verified. EDD requires additional documentation and senior management approval before the relationship is established.

How long does KYC onboarding take in South Africa?

For standard (low-risk) individual customers with complete documentation, KYC onboarding can be completed within 1–3 business days. For legal entities, 3–7 business days is typical due to the additional beneficial ownership verification requirements. For high-risk customers requiring EDD and senior management approval, the process can take 2–4 weeks.

KYC Onboarding Process: Step-by-Step Guide for South African Accountable Institutions

The KYC onboarding process is the sequence of compliance steps an accountable institution must complete before establishing a business relationship with a new customer. Under the Financial Intelligence Centre Act 38 of 2001 (FICA), onboarding is not merely an administrative formality — it is a legal obligation. Institutions that onboard customers without completing the required steps face administrative sanctions of up to R50 million per contravention and, in cases of wilful non-compliance, criminal liability. This guide covers the eight steps of the FICA-compliant KYC onboarding process, with separate requirements for individual and legal entity customers.

Identify the customer before establishing a business relationship. For individual customers, this means obtaining the full name, ID number, date of birth, and residential address. For legal entities, this means obtaining the registered name, registration number, registered address, and the identity of directors and beneficial owners.

Full name (as per ID document)
South African ID number or passport number
Date of birth
Residential address (not a PO Box)
Contact details (email and phone)

Collect the documents required to verify the customer's identity and address. Documents must be current and, where required, certified. The FIC accepts electronic copies of original documents for digital onboarding, provided the institution has a documented process for verifying the authenticity of electronic copies.

Certified copy of valid SA ID or passport
Proof of residential address (utility bill, bank statement, or lease agreement — not older than 3 months)
For non-residents: certified copy of passport and proof of foreign address

Verify the information provided by the customer against independent, reliable sources. Verification is not the same as collection — the institution must confirm that the identity document is genuine, that the address is current, and that the beneficial ownership declaration is accurate.

Verify SA ID number against the Department of Home Affairs (DHA) database or an accredited verification bureau
Verify address against a third-party address verification service or by reviewing an original utility bill or bank statement
For non-residents: verify passport against the issuing country's database where possible

Identify all natural persons who ultimately own or control the legal entity customer. The FIC's Public Compliance Communication 59 (August 2024) confirmed that the beneficial ownership threshold under FICA is 5% — any natural person holding 5% or more of the equity, voting rights, or economic interest in the entity must be identified and verified.

Not applicable for individual customers (the customer is the beneficial owner)

Assign a risk rating to the customer based on the institution's risk-based approach. The risk rating determines the level of due diligence applied and the frequency of ongoing monitoring. Risk ratings must be documented and must reflect the institution's actual assessment of the customer's ML/TF/PF risk.

Low risk: SA resident, standard employment income, no PEP indicators, no high-risk jurisdiction connections
Medium risk: non-resident, cash-intensive business, limited verifiable income
High risk: PEP or PEP associate, customer from FATF grey-listed jurisdiction, complex ownership, adverse media

Screen the customer against the FIC-designated list, the UN Security Council consolidated list, and (for USD transactions) the OFAC SDN list before establishing the business relationship. Screening must be completed before approval — not after. Document the screening outcome and retain records for 5 years.

Screen full name and date of birth against FIC-designated list
Screen against UN Security Council consolidated list
Screen against OFAC SDN list for USD transactions
Document screening date, lists screened, and outcome

Apply enhanced due diligence for customers rated as high risk. EDD requires additional documentation, a source of funds or source of wealth declaration, and senior management approval before the business relationship is established. EDD customers must be subject to more frequent ongoing monitoring.

Obtain source of funds declaration (salary slips, tax returns, investment statements)
Obtain source of wealth declaration for high-net-worth individuals
Conduct adverse media screening
Obtain senior management approval before onboarding
Set enhanced ongoing monitoring frequency (quarterly or more frequent)

Obtain the required approval for the business relationship and create the customer record. The approval authority depends on the customer's risk rating: standard CDD customers can be approved by a relationship manager or equivalent; high-risk customers requiring EDD must be approved by senior management or the compliance officer. All onboarding records must be retained for a minimum of 5 years.

Low/medium risk: relationship manager approval
High risk: senior management or compliance officer approval
Create customer record with all CDD documentation
Retain records for minimum 5 years
Set ongoing monitoring triggers and review dates

After Onboarding: Ongoing Monitoring

KYC onboarding is the beginning of the compliance relationship, not the end. FICA requires accountable institutions to conduct ongoing monitoring of all business relationships to ensure that the customer's risk profile remains current and that transactions are consistent with the institution's knowledge of the customer. Ongoing monitoring requirements include:

Periodic review of CDD records — annually for high-risk customers, every 3 years for medium-risk customers, and every 5 years for low-risk customers (FIC guidance).
Re-screening against the FIC-designated list and UN Security Council list when these lists are updated.
Transaction monitoring to identify transactions that are inconsistent with the customer's known risk profile or business activities.
Updating CDD records when material changes occur (change of address, change of beneficial owner, change of business activities).
Filing suspicious transaction reports (STRs) when transactions give rise to a suspicion of money laundering, terrorist financing, or proliferation financing.

For sector-specific ongoing monitoring requirements, see the KYC Checklist for your sector.

Sector-Specific Onboarding Requirements

While the 8-step onboarding process above applies to all accountable institutions, each sector has additional documentation requirements, risk indicators, and FIC guidance specific to its customer base and product set. Select your sector below for the complete sector-specific onboarding and CDD checklist:

Commercial BanksSARB / PA supervised Insurance CompaniesFSCA supervised Estate AgentsPPRA supervised AccountantsIRBA / SAICA supervised Attorneys & LawyersLSSA / LSNP supervised Crypto Asset Service ProvidersFSCA supervised Payment Service ProvidersSARB / PA supervised Forex DealersSARB / FSCA supervised

Frequently Asked Questions

What is the KYC onboarding process?▼
What documents are required for KYC onboarding in South Africa?▼
What is risk rating in KYC onboarding?▼
When is enhanced due diligence (EDD) required during onboarding?▼
How long does KYC onboarding take in South Africa?▼

KYC Onboarding Process: A Step-by-Step Guide for South African Accountable Institutions

Customer Identification

Document Collection

CDD Verification

Beneficial Ownership Identification

Risk Rating

Sanctions Screening

Enhanced Due Diligence (EDD)

Approval and Record-Keeping

After Onboarding: Ongoing Monitoring

Sector-Specific Onboarding Requirements

Frequently Asked Questions