The Three Gates Framework

Pillar Page — Core Concepts

KYC vs AML: What Is the Difference?

Published 7 April 2026 · 9 min read · KYC Registry South Africa

·

KYC and AML are two of the most commonly used terms in financial compliance, and they are frequently confused or used interchangeably. They are not the same thing. Understanding the distinction — and the relationship — between KYC and AML is essential for any South African business that falls under FICA. This guide explains both concepts clearly and explains how they interact in practice.

Definitions: KYC and AML

KYC (Know Your Customer) refers to the process of identifying and verifying the identity of customers before and during a business relationship. KYC is a set of specific procedures: collecting identity documents, verifying them against authoritative sources, identifying beneficial owners, and understanding the nature and purpose of the business relationship. KYC is primarily a customer onboarding and monitoring process.

AML (Anti-Money Laundering) is a broader framework of laws, regulations, policies, and procedures designed to prevent the financial system from being used to launder the proceeds of crime or finance terrorism. AML encompasses KYC, but it also includes transaction monitoring, suspicious transaction reporting, sanctions screening, record-keeping, staff training, and internal controls. AML is the entire compliance programme; KYC is one component of it.

A useful analogy: AML is the security system of a building. KYC is the process of checking the identity of everyone who enters. You cannot have effective AML without KYC, but KYC alone does not constitute a complete AML programme.

How KYC and AML Relate

KYC feeds into AML in a direct and practical way. The information gathered during KYC — the customer's identity, their business activities, their source of funds, their beneficial owners — forms the foundation of the AML risk assessment. Without accurate KYC data, it is impossible to identify whether a customer's transactions are consistent with their known profile, which is the core of transaction monitoring.

The relationship works in both directions. AML transaction monitoring may reveal patterns that require a KYC review. If a customer's transactions are inconsistent with their stated business purpose, the AML system should trigger a KYC refresh — a re-verification of the customer's identity and a review of their risk rating.

KYC and AML Under FICA

In South Africa, both KYC and AML obligations are imposed by FICA. FICA requires accountable institutions to:

  • Identify and verify the identity of customers (KYC — Sections 21–22)
  • Keep records of customer identification and transactions (AML — Section 22)
  • Report suspicious transactions to the FIC (AML — Section 29)
  • Report cash transactions above R49 999 to the FIC (AML — Section 28)
  • Develop and implement a risk management and compliance programme (AML — Section 42)
  • Train staff on their FICA obligations (AML — Section 43)

The Risk Management and Compliance Programme (RMCP) is the document that ties KYC and AML together. It must describe the accountable institution's approach to customer due diligence, transaction monitoring, suspicious transaction reporting, record-keeping, and staff training. It is the master document of the AML programme, and KYC procedures are a core section of it.

KYC vs AML: Key Differences at a Glance

DimensionKYCAML
ScopeCustomer identification and verificationEntire compliance programme
When it appliesAt onboarding and during relationship reviewContinuously throughout the business relationship
Key activitiesID verification, beneficial ownership, CDD/EDDTransaction monitoring, STR filing, sanctions screening, training
FICA referenceSections 21–22Sections 22, 28, 29, 42, 43
OutputCustomer risk profileRisk Management and Compliance Programme (RMCP)
RelationshipA component of AMLThe broader framework that includes KYC

Frequently Asked Questions

Is KYC the same as AML compliance?
No. KYC is a specific set of customer identification and verification procedures. AML is the broader compliance framework that includes KYC, transaction monitoring, suspicious transaction reporting, record-keeping, and staff training. You need both to be compliant.
Can a business be KYC compliant but not AML compliant?
Yes, in theory. A business could have excellent customer identification procedures but fail to monitor transactions, report suspicious activity, or train its staff. In that case, it would have strong KYC but weak AML. FICA requires both.
What is the RMCP and how does it relate to KYC and AML?
The Risk Management and Compliance Programme (RMCP) is the master document that every accountable institution must maintain under FICA Section 42. It describes the institution's entire AML programme, including its KYC procedures. Think of the RMCP as the AML manual, with KYC as one of its core chapters.
Does FICA use the terms KYC and AML?
FICA does not use the term "KYC" — it refers to "customer due diligence" and "identification and verification." The term "AML" is also not used in the Act; FICA refers to "money laundering" and "terrorist financing." KYC and AML are industry shorthand for the obligations imposed by FICA and related legislation.
Which regulator enforces KYC and AML in South Africa?
The Financial Intelligence Centre (FIC) is the primary regulator for KYC and AML compliance under FICA. Sector-specific regulators — including the SARB, FSCA, and the Estate Agency Affairs Board — also supervise compliance within their sectors.

Your Next Step

Know your obligations. Act before the FIC does.

South Africa's FATF grey-list status means the FIC is actively inspecting accountable institutions. Use the KYC checklist to confirm your compliance posture before your next inspection.

Read the full KYC checklist for your sector