The Three Gates Framework

Concept Spoke — Compliance Intersection

KYC and POPIA: How They Interact in South Africa

Published 7 April 2026 · 8 min read · KYC Registry South Africa

·

South African accountable institutions face a compliance tension: FICA requires them to collect and retain detailed personal information about their customers, while POPIA requires them to minimise the collection of personal information and to protect it rigorously. This guide explains how FICA and POPIA interact, where they conflict, and how accountable institutions can comply with both simultaneously.

What Is POPIA?

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's data protection law. It came into full effect on 1 July 2021 and is broadly equivalent to the EU's General Data Protection Regulation (GDPR). POPIA regulates the processing of personal information by public and private bodies, and gives individuals rights over their personal information.

POPIA is enforced by the Information Regulator, which can impose fines of up to R10 million for serious contraventions.

Where FICA and POPIA Appear to Conflict

FICA requires accountable institutions to collect and retain personal information — including identity documents, addresses, and source of funds information — for at least five years after the end of the business relationship. POPIA's minimisation principle requires institutions to collect only the personal information that is necessary for the purpose and to retain it only for as long as necessary.

At first glance, these requirements appear to conflict. In practice, POPIA resolves this tension through its lawful processing grounds. POPIA Section 11 allows personal information to be processed where it is necessary to comply with a legal obligation. FICA compliance is a legal obligation, which means the collection and retention of personal information for KYC purposes is lawful under POPIA.

POPIA Obligations That Apply to KYC Data

Even though FICA compliance provides a lawful basis for processing KYC data, accountable institutions must still comply with POPIA's other requirements:

  • Purpose limitation. KYC data collected for FICA compliance must be used only for that purpose. It cannot be used for marketing or other purposes without a separate lawful basis.
  • Security. KYC data must be protected against unauthorised access, loss, or damage. Institutions must implement appropriate technical and organisational security measures.
  • Data subject rights. Customers have the right to access their personal information and to request correction of inaccurate information. Institutions must have processes to handle these requests.
  • Special personal information. Biometric data (used in digital KYC) is special personal information under POPIA and requires explicit consent or another specific lawful basis for processing.
  • Cross-border transfers. KYC data may only be transferred to countries with adequate data protection laws, or with the data subject's consent.

Record Retention: FICA vs POPIA

FICA requires KYC records to be retained for at least five years after the end of the business relationship. POPIA requires personal information to be retained only for as long as necessary. These requirements are reconciled by treating the FICA five-year minimum as the retention period for KYC data. After five years, the data should be deleted or anonymised, unless there is another lawful basis for retaining it (such as an ongoing legal dispute).

Frequently Asked Questions

Does POPIA require consent for KYC data collection?
Not necessarily. POPIA allows personal information to be processed without consent where it is necessary to comply with a legal obligation. FICA compliance is a legal obligation, so consent is not required for KYC data collection. However, institutions should inform customers about the purpose of the data collection.
Can a customer refuse to provide KYC data on POPIA grounds?
No. FICA requires accountable institutions to collect KYC data, and customers are legally required to provide it. A customer cannot use POPIA to refuse KYC. Under FICA Section 21(3), an institution must not establish a business relationship if the customer refuses to provide the required information.
Must accountable institutions have a POPIA privacy notice?
Yes. POPIA requires institutions to inform data subjects about the purpose of data collection, the categories of data collected, and their rights. A privacy notice (or PAIA manual) is required.
How long must KYC records be kept under FICA and POPIA?
FICA requires a minimum of five years after the end of the business relationship. POPIA requires retention only for as long as necessary. In practice, the five-year FICA minimum is the retention period, after which data should be deleted or anonymised.
Does POPIA apply to KYC data about foreign customers?
Yes. POPIA applies to the processing of personal information in South Africa, regardless of the nationality of the data subject.

Your Next Step

Know your obligations. Act before the FIC does.

South Africa's FATF grey-list status means the FIC is actively inspecting accountable institutions. Use the KYC checklist to confirm your compliance posture before your next inspection.

Read the full KYC checklist for your sector