AML/CFT Compliance in South Africa: SARB, FICA, and the 2026 Regulatory Landscape

The Financial Intelligence Centre (FIC) publishes guidance on SAR filing, beneficial-ownership verification and PEP screening. Its 2025/26 Annual Performance Plan (APP) sets a target of processing 95 % of SARs within 48 hours of receipt and of completing at least 30 % of investigations within six months. The FIC also runs joint supervisory examinations with the SARB PA, focusing on correspondent-banking risk, sanctions compliance, and the non-profit-organisation (NPO) sector.

Regulator-Specific Guidance

In March 2025 the PA released Prudential Authority Notice 2025/03, which clarifies expectations for “risk-based AML controls” in the context of the SARB’s “Liquidity and Funding” stress-testing regime. The notice requires banks to map AML risk across all funding sources, including foreign-exchange and cross-border payments, and to demonstrate how AML controls are integrated into liquidity-risk models.

The FIC’s “Guidance Note GN-2024-02” on beneficial-ownership verification, issued in August 2024, stipulates that entities must obtain certified copies of the latest shareholder register from the Companies and Intellectual Property Commission (CIPC) and retain electronic copies for the statutory five-year period. Failure to produce such documentation was a central finding in the 2025 enforcement action against FirstRand Bank (see table below).

The FSCA’s “CASP Licensing Handbook” (Version 1.1, released November 2023) outlines the AML obligations for crypto-asset service providers, including the requirement to conduct transaction-monitoring on all transfers to unhosted wallets and to retain blockchain-analysis reports for a minimum of three years. Section 20(2) of FICA, as amended by the 2022 Act, gives the FIC authority to request these reports during inspections.

Customer Due Diligence and KYC

South African institutions must apply the tiered CDD model set out in FICA Section 20(1) and the PA’s “Risk-Based AML Framework” (PA Circular 2024/01). For natural persons, verification must include full name, date of birth, national ID number, and residential address, captured before the establishment of a business relationship. For legal entities, the required documentation includes a certified copy of the incorporation certificate, a recent extract from the CIPC register, and a declaration of beneficial-ownership structure in line with Section 5 of the 2022 Amendment Act.

Enhanced due diligence (EDD) is triggered where a customer is a politically exposed person (PEP), a senior public official, or a senior executive of a state-owned enterprise. The FIC’s “PEP Screening Guidance” (GN-2023-07) requires a risk-based assessment of the PEP’s source of wealth, a senior-management approval before onboarding, and continuous monitoring for at least 12 months after the PEP ceases to hold the public function. The PA expects documented EDD procedures to be reflected in the institution’s AML policy manual.

Simplified due diligence (SDD) is permitted only where the institution can demonstrate a low-risk profile, such as for small-value retail accounts with transaction volumes below R 10 000 per month and where the customer is a South African citizen with a verified ID. The PA’s 2024 guidance warns that over-use of SDD will be treated as a material breach in supervisory examinations.

Sanctions Screening

South African entities must screen customers and transactions against the United Nations Consolidated List, the European Union Consolidated Sanctions List, and the South African “National Sanctions List” maintained by the Department of International Relations and Cooperation (DIRCO). The FIC’s “Sanctions Screening Manual” (issued July 2024) requires real-time name-screening at onboarding and periodic batch screening of all active accounts at least quarterly.

The PA’s “Correspondent Banking Risk Bulletin” (June 2025) highlighted heightened scrutiny of transactions involving Russian and Iranian counterparties, noting that failure to block prohibited transfers can result in SARB-imposed penalties of up to 0.5 % of the institution’s average annual turnover. In 2024 the SARB levied a R 3 million fine against a mid-size bank for processing a series of payments to a sanctioned Iranian entity without proper screening.

SAR/STR Reporting

Under FICA Section 43(1), accountable institutions must file a SAR with the FIC “without undue delay” after forming a suspicion of money-laundering or terrorist financing. The FIC’s electronic portal “eSAR” became mandatory on 1 January 2025, and the system logs the exact timestamp of each submission. The 2025/26 APP sets a target of filing within 24 hours for high-risk alerts and within 72 hours for lower-risk alerts.

The PA’s “Reporting Timeliness Directive” (PA Circular 2025/02) clarifies that “without undue delay” translates to a maximum of one working day for high-risk SARs and three working days for standard SARs, unless a justified extension is documented. The SARB’s 2025 enforcement notice against a regional bank cited a breach of this deadline as a key factor in imposing a R 7 million penalty.

Risk-Based Approach

Institutions must adopt a risk-based approach (RBA) that aligns with FICA Section 4 and PA Circular 2024/01. The RBA requires a documented institution-wide risk assessment covering product, customer, geographic and delivery-channel risks. The assessment must be refreshed annually and whenever a material change occurs, such as the introduction of a new product line or a change in the institution’s ownership structure.

The FIC’s “Risk-Based AML Framework” (published September 2024) introduces a three-tier risk-scoring model that assigns a numeric score to each client based on factors such as transaction volume, jurisdiction, and PEP status. The model must be calibrated to the institution’s risk appetite and approved by senior management. The PA expects the risk-scoring methodology to be embedded in the institution’s core banking system, with automated alerts for score thresholds that trigger EDD.

Crypto-Assets

The 2022 General Laws Amendment Act brought crypto-asset service providers (CASPs) within the ambit of FICA. Section 20(2) obliges CASPs to conduct CDD on both the user and the ultimate beneficiary of a wallet address, to retain blockchain-analysis reports, and to file SARs for any transaction that appears to be linked to illicit activity. The FSCA’s “CASP Licensing Handbook” (Version 1.1) requires a minimum of two full-time AML compliance staff for any licensed CASP and mandates the use of a “transaction-monitoring engine” that can analyse on-chain data.

In December 2025 the FIC issued “Guidance Note GN-2025-03” on unhosted wallets, stating that transfers to wallets without a known owner must be treated as high-risk and that institutions must obtain additional verification, such as a notarised declaration of ownership, before processing amounts exceeding R 100 000. Failure to comply can result in a fine of up to R 5 million per breach, as demonstrated in the 2026 enforcement action against a local exchange that processed R 250 million of unverified wallet transfers.

Recent Enforcement

The period 2023-2026 has seen a sharp increase in enforcement activity, reflecting the SARB-PA and FIC’s focus on high-impact violations. The table below summarises the most significant penalties imposed on South African institutions.

Beyond the headline fines, the SARB-PA has issued numerous “notice-of-non-compliance” letters requiring remedial action plans, especially in the areas of correspondent-banking risk, cash-threshold reporting, and PEP monitoring. The FIC’s 2025 “Enforcement Summary” notes that 42 % of SARs filed in 2024 were classified as “high-risk” and that the average processing time fell from 72 hours in 2023 to 48 hours in 2025, reflecting the impact of the eSAR platform.

Practical Compliance Checklist for South African Institutions

Common Pitfalls

A recurring issue is the reliance on a single commercial screening vendor without documented validation. The FIC’s 2025 enforcement notice highlighted that institutions must retain evidence of data-quality checks, false-positive thresholds and periodic vendor audits.

Another frequent shortfall is the incomplete capture of beneficial-ownership information for complex corporate structures. The 2025 FirstRand penalty demonstrated that failure to obtain the ultimate natural-person owners of a shell company, even when a local director is listed, triggers a breach of Section 5 of the 2022 Amendment Act.

Finally, many banks still process high-value cash deposits using legacy “manual” registers, which hampers the ability to meet the R 25 000 cash-threshold reporting requirement under FICA Section 12(1). The SARB’s 2024 “Cash-Transaction Review” found that 18 % of surveyed banks failed to generate the required electronic audit trail, exposing them to potential fines of up to R 2 million per breach.

How RegMantle Helps

RegMantle produces jurisdiction-specific AML/CFT documentation that references the Financial Intelligence Centre Act 2001 (FICA, Act No 38 of 2001), the 2022 General Laws Amendment Act, SARB Prudential Authority circulars and FSCA CASP licensing requirements. Generated outputs include a full AML policy manual, a risk-assessment template aligned with FICA Section 4, KYC/CDD procedures that capture the latest beneficial-ownership verification steps, a sanctions-screening policy referencing UN, EU and South African lists, SAR/STR filing SOPs keyed to the eSAR platform, and a crypto-asset AML framework that satisfies FSCA licensing conditions. All documents are exportable as branded DOCX files ready for board approval and regulator inspection.