South Africa Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in South Africa?

South Africa runs a Twin Peaks regulatory model, introduced by the Financial Sector Regulation Act 9 of 2017. Two apex bodies divide supervisory responsibility, with a third body running the country's financial intelligence function.

The South African Reserve Bank's Prudential Authority (PA) supervises banks, insurance companies, and financial conglomerates for safety and soundness. AML programme quality sits within the PA's mandate: an on-site inspection will assess your risk-based approach, KYC framework, transaction monitoring calibration, and governance. The PA can issue compliance notices, directives, and administrative sanctions for material prudential failures.

The Financial Intelligence Centre (FIC) is South Africa's financial intelligence unit and the primary AML supervisor for day-to-day FICA compliance. The FIC receives suspicious transaction reports and cash threshold reports, analyses them, and disseminates intelligence to law enforcement. It issues Public Compliance Communications (PCCs), Guidance Notes, and binding directives. The FIC conducts compliance examinations of accountable institutions and can impose administrative sanctions directly under FICA. It operates under the oversight of the Minister of Finance.

The Financial Sector Conduct Authority (FSCA) regulates market conduct across banks, insurers, and financial services providers. The FSCA's mandate is consumer protection and market integrity, but conduct failures frequently intersect with financial crime gaps. The FSCA declared crypto assets as financial products in October 2022 under the Financial Advisory and Intermediary Services Act. This brought crypto asset service providers (CASPs) into its licensing regime.

The three bodies operate under a formal supervisory coordination structure and share information under the FIC Act's intelligence-sharing provisions. Foreign banks dealing with South Africa will typically engage the PA on prudential matters and the FIC on AML programme examinations.

What are the key AML and fraud laws in South Africa?

FICA is the foundation. Originally enacted as Act 38 of 2001, it was substantively amended by the Financial Intelligence Centre Amendment Act 1 of 2017. That amendment shifted South Africa from a rules-based checklist to a risk-based approach aligned with the FATF standard. The 2017 amendment expanded Schedule 1's list of "accountable institutions" (now including CASPs), introduced customer due diligence (CDD) requirements for legal persons and trusts, and mandated risk assessments at both institutional and national level. FATF Recommendation 10 underpins these CDD obligations.

The Prevention of Organised Crime Act 121 of 1998 (POCA) is the primary money laundering criminal statute. Section 4 carries a maximum 15-year sentence on conviction. POCA creates the proceeds-of-crime forfeiture regime administered by the National Prosecuting Authority's Asset Forfeiture Unit. The AFU can seek civil forfeiture without a criminal conviction, which matters for banks holding the proceeds of crime.

The General Laws (Anti-Money Laundering and Combating Terrorism Financing) Amendment Act 22 of 2022 made the most recent structural changes: tightening beneficial ownership requirements, amending the Companies Act to require registers of beneficial owners, and addressing gaps the FATF identified in its 2021 mutual evaluation report.

For data, the Protection of Personal Information Act 4 of 2013 (POPIA) governs how CDD data is collected, stored, and transferred. POPIA's section 72 restricts cross-border transfers of personal information to countries offering equivalent protection. Institutions sending KYC data to centralised offshore compliance functions must satisfy these conditions through binding corporate rules or documented consent. POPIA came into full force in July 2021; the Information Regulator has enforcement powers and has begun issuing enforcement notices.

The Prevention and Combating of Corrupt Activities Act 12 of 2004 (PRECCA) is why AML typologies for state-owned enterprise transactions need specific calibration. PRECCA requires certain persons to report corruption to law enforcement, and its scope overlaps directly with financial crime red flags at banks processing SOE-related payment flows. For CFT obligations, the Protection of Constitutional Democracy against Terrorist and Related Activities Act 33 of 2004 (POCDATARA) applies alongside FICA's own terrorism financing provisions.

What controls do South Africa regulators expect?

CDD and KYC. Accountable institutions must identify and verify customers before establishing a business relationship. Know Your Customer (KYC) procedures must cover natural persons, legal entities, and trusts. For legal entities, institutions must identify the ultimate beneficial owner (UBO) holding 25% or greater direct or indirect ownership. Enhanced due diligence is mandatory for higher-risk relationships. FICA section 21G requires enhanced measures for domestic and foreign politically exposed persons, consistent with FATF Recommendation 12. Domestic South African PEPs must be treated as high-risk, not lower-risk than foreign equivalents.

Transaction monitoring. Institutions must monitor transactions for suspicious or unusual activity. Transaction monitoring systems must be calibrated to the institution's specific risk profile and product mix, not copied from a generic rulebook. The FIC's PCCs and Guidance Notes provide typology guidance covering structuring, trade-based money laundering, real estate, and cross-border cash flows.

Sanctions screening. FICA section 28A requires sanctions screening against the FIC's Financial Sanctions List, updated in real time as the UN Security Council and South Africa's government issue designations. Institutions with correspondent banking relationships need to screen against OFAC, EU, and UK HMT lists as well. Executing a transaction for a designated party is a hard violation.

STR and CTR filing. Suspicious transaction reports (STRs) must be filed with the FIC under FICA section 29 as soon as reasonably possible after suspicion forms. There's no statutory 24-hour deadline, but the FIC treats delayed filing as a compliance failure. Cash threshold reports (CTRs) are required for cash transactions above ZAR 24,999.99 under FICA section 28.

Record-keeping. Five years from the end of the business relationship, consistent with FATF Recommendation 11 and FICA section 22. Records must be in a format that allows reconstruction of individual transactions at the FIC's request.

What is unique about compliance in South Africa?

The biggest recent complication was the FATF grey-listing. In February 2023, the FATF placed South Africa on its Increased Monitoring list after identifying deficiencies across 20 of 40 recommendations in the 2021 mutual evaluation. Key gaps: inadequate beneficial ownership enforcement, weak prosecution rates for complex financial crime, and underdeveloped virtual asset supervision. The grey-listing triggered enhanced due diligence from correspondent banks globally. Dollar-clearing costs rose for South African institutions, and some cross-border payment corridors slowed. South Africa was removed from the grey list in October 2024 after completing 22 action items. The supervisory landscape is more demanding as a direct result.

The Twin Peaks model creates a dual supervisory relationship that catches out foreign banks accustomed to single-regulator jurisdictions like the United Kingdom or Singapore. The Prudential Authority owns your AML programme quality; the FSCA owns your conduct standards. Both can inspect you independently, and a PA finding doesn't limit the FSCA's ability to act separately on related conduct issues.

Beneficial ownership transparency is an active work-in-progress. The 2022 Amendment Act and corresponding Companies Act changes require non-listed companies to file BO information with the Companies and Intellectual Property Commission (CIPC). The register went live for public companies in April 2023. Third-party searchability remains limited. Institutions can't substitute a registry lookup for direct CDD on beneficial owners; source documents and direct verification are still required.

Crypto compliance is real and enforced. The FSCA's 2022 declaration brought CASPs under FAIS licensing, and the FIC's inclusion of CASPs in FICA's Schedule 1 means crypto businesses face the same AML obligations as banks. FATF Recommendation 15 on new technologies is now operationally binding in South Africa. For banks with crypto client exposure, de-risking decisions need to be documented against a defined risk appetite policy.

South Africa's domestic PEP population is large by international standards. The Zondo Commission of Inquiry into state capture (final report delivered February 2022) documented financial flows through state-owned enterprises and connected financial institutions that should have triggered STRs. Compliance teams applying a lighter touch to domestic South African PEPs than to international PEPs are applying the wrong risk calibration.

Recent enforcement actions in South Africa

The dominant enforcement event of the past three years is the FATF grey-listing. The February 2023 listing formalised what the 2021 mutual evaluation found: systematic gaps in AML effectiveness across multiple sectors. The economic cost was real. South African banks paid higher correspondent banking fees, some payment corridors were subject to elevated scrutiny, and regulators accelerated supervisory activity to demonstrate credible progress.

The FIC has hardened its enforcement posture since the mutual evaluation. Its published annual reports document examination programmes covering banks, insurance companies, estate agents, attorneys, and CASPs, with non-compliance findings including deficient risk-based CDD frameworks, insufficient STR filing volumes relative to declared business activity, and weak record-keeping controls. The FIC can impose administrative sanctions of up to ZAR 10 million per contravention or 10% of annual turnover under FICA section 45B.

South Africa's most documented financial crime failure at an institution is VBS Mutual Bank. SARB placed VBS under provisional curatorship in March 2018 after discovering a fraud involving municipal deposits, fraudulent loan accounts, and payments to politically connected individuals. The forensic report "The Great Bank Heist," commissioned by the SARB and delivered by Advocate Terry Motau SC in October 2018, named 53 individuals for referral to the National Prosecuting Authority. The total fraud was approximately R2 billion. Criminal prosecutions followed. It's the clearest recent illustration of what happens when AML and governance controls are subordinated to connected-party pressure at a smaller institution.

For global context, the Standard Chartered 2019 enforcement action by US and UK regulators involved a bank that operates in South Africa through a registered branch. Group-level sanctions failures at a foreign bank parent carry direct risk for South African branch operations and their correspondent relationships.

What foreign banks operating in South Africa need to know

Foreign banks can enter South Africa through a branch of a foreign bank (registered with the SARB Prudential Authority under the Banks Act 94 of 1990) or a locally incorporated subsidiary. Both structures are fully subject to FICA. There's no passporting from the EU, UK, or US; compliance with your home jurisdiction doesn't satisfy South African requirements.

FICA requires every accountable institution to appoint a compliance officer, South Africa's functional equivalent of an MLRO. This person must be a senior employee with appropriate knowledge and skills. The FIC doesn't permit outsourcing the compliance officer role to a third party. Foreign banks establishing a branch regularly underestimate the time needed to identify and appoint a suitable individual before the branch goes operational.

Reporting timelines: STRs must be filed as soon as reasonably possible after suspicion forms. There's no hard statutory 24-hour deadline, but the FIC's guidance makes clear that delayed filing is treated as a compliance failure independent of the underlying transaction. CTRs for cash transactions above ZAR 24,999.99 must be filed promptly. The FIC's goAML system is the submission portal; test your connectivity before go-live.

On data: POPIA's cross-border transfer restrictions under section 72 apply to KYC data sent to group compliance functions offshore. Banks centralising CDD in London or elsewhere need binding corporate rules or documented consent. This isn't theoretical; the Information Regulator began issuing enforcement notices after POPIA's full commencement in July 2021.

Outsourcing CDD to third parties is permitted under FICA's reliance provisions in section 21H, but the accountable institution remains fully liable for any failure. Document your vendor oversight programme and retain the right to audit.

Post grey-listing, correspondent banks from the United States and elsewhere may have updated their enhanced due diligence standards for South African counterparts. With the grey-listing lifted as of October 2024, these EDD requirements should be under review at correspondent banks, but verify current status directly rather than assuming normalisation.

How FluxForce supports South Africa compliance

South Africa's FICA obligations map directly to what FluxForce delivers: real-time transaction monitoring calibrated to your customer risk profile, automated STR drafting with evidence pre-packaged for FIC submission, and continuous sanctions and PEP screening against the FIC's Financial Sanctions List alongside OFAC and UK HMT. Adverse media checks against South Africa's large domestic PEP population run without manual intervention. Every decision carries a full audit trail ready for Prudential Authority or FIC inspection. If you're building out your South Africa compliance programme or reviewing your current controls, book a demo to see the platform in action.