Certified Copies Aren’t Enough Anymore: What the New FIC Rules Really Mean for Your Practice

Written By Heynes Kotze

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

Let’s be honest, no one went into accounting to become a part-time compliance officer. But if you’re onboarding clients without understanding how the new FIC rules affect verification, you could be one misstep away from personal liability.

On 1 September 2025, the Financial Intelligence Centre (FIC) dropped the most significant compliance update in years, the Revised Guidance Note 7A. It rewrites how every accountable institution (and that may include you, if your services fall under Schedule 1 of the FIC Act) must handle client verification and risk management.

If you advise on company formation, manage client funds, act as a nominee, or handle trust or business accounts, chances are, you qualify. And if you do, this new guidance changes everything about how you identify and verify your clients.

For years, we’ve relied on certified copies and standard ID checks to tick the KYC box.
That era is over.

The FIC now expects proof, not process and you’re the one who must justify your decision.

From Tick-Box to Thinking: The Risk-Based Revolution

The old rules told you how to verify clients.
The new rules ask why you did it that way and whether your reasoning holds up.

Gone are the days of prescriptive checklists. The General Law Amendment Act, 2022, repealed big chunks of the old Money Laundering Regulations. In their place comes a risk-based approach, giving you more freedom but also more accountability.

You now decide what “enough” verification looks like, based on each client’s money laundering and terrorism financing (ML/TF) risk.

Low-risk, face-to-face client? A certified copy might still work.
Foreign politically exposed person (PEP) or complex trust structure? You’ll need independent third-party verification and documentation to prove it.

This isn’t optional. Under the new model, your professional judgment is what regulators will scrutinize first. And if it’s weak or undocumented, you’re on the hook.

The R10 Shock: Compliance Just Got Pricier

The next curveball came from the Department of Home Affairs.

On 1 July 2025, Home Affairs quietly rolled out a “modernized” National Population Register (NPR) verification system  which is sleek, fast, and brutally expensive.
The price per real-time ID check jumped from 15 cents to R10. Batch verifications done after-hours cost R1 per check.

That’s a 66x price hike.

For a small practice verifying 100 clients, that’s a jump from R15 to R1,000 if done in real time.
That’s not just inflation, that’s a compliance cost earthquake.

Home Affairs defends it as “sustainable pricing,” but for practitioners, it’s a new overhead that must be built into pricing or recovered somehow. The good news?
The new system works, it’s faster, more reliable (failure rates below 1%), and integrates better with practice tech.
The bad news? You’ll need to rethink your KYC workflow and maybe even batch your verifications during off-peak hours to save costs.

So When Is a Certified Copy Still Enough?

Let’s cut through the jargon.
certified copy is fine only when:

  • You’ve seen the original ID in person;

  • You’ve documented that sighting; and

  • The client is low-risk based on your risk assessment.

Anything less (like a scanned ID emailed from a “gmail.com” address) is not compliance.

In non-face-to-face situations, the rules tighten even more. You must take additional steps:

  • Independent contact with the client;

  • Third-party introduction;

  • Extra documentation or electronic verification;

  • Or direct checks against reliable databases.

The FIC is clear: if you can’t show how you confirmed the client’s identity beyond a document, you haven’t verified them.

The New Gold Standard: Independent Third-Party Verification

The FIC defines verification as “corroboration using reliable and independent third-party sources.”
Translation: if the data comes from the client themselves, it’s not good enough.

That’s why government-held sources (like the NPR, passport registries, or immigration records) sit at the top of the reliability pyramid.

Other options include licensed third-party platforms like LexisNexis KYCDocFox (via nCino), and Aiprise, all of which link into verified data pools, run PEP and sanctions screening, and provide audit trails.

These tools aren’t cheap, but they save time, reduce manual risk, and create digital paper trails that auditors and the FIC love.
And for small firms, they level the playing field, giving you access to the same verification muscle as the banks.

Just remember: even when you use third-party services, you remain accountable for compliance. Outsourcing doesn’t transfer liability.

Non-Face-to-Face = High-Risk by Default

Remote onboarding is convenient, but it’s also where most compliance failures happen.
The FIC expects verification standards that are “as effective” as in-person checks which means that you need controls to mitigate the risk of impersonation or document fraud.

Think video verification, liveness detection, multiple data checks, or even hybrid methods (online plus call-back confirmation).
A simple “upload your ID” form doesn’t cut it anymore.

If you’re relying on third-party introductions (say a client referred by a bank) you can lean on that verification, but you must document your reasoning and assess whether it’s sufficient for your own risk appetite.

Risk-Based Compliance Is Now Personal

This is the part that should make every practitioner sit up:
Boards and senior managers are personally liable for FIC compliance.

The Revised GN 7A explicitly says that RMCP (Risk Management and Compliance Programme) approval cannot be delegated.
If your RMCP isn’t updated to reflect the new guidance, you’re already non-compliant, even if your intentions are good.

Boards must “apply their minds” to the adequacy of the RMCP. That means they must understand your verification procedures, risk classifications, and escalation triggers, not just rubber-stamp them.

Personal sanctions under Section 61 of the FIC Act are now a real threat.

So if you haven’t reviewed your RMCP since 2024, it’s time.

Can You Charge for Verification? Yes, And You Should

KYC isn’t free work. It’s professional service.
You’re applying judgment, risk analysis, and liability.

Nothing in the FIC Act or CIBA’s Code of Conduct says you can’t recover compliance costs. In fact, you should, transparently.
Include verification fees in engagement letters, factor NPR and third-party costs into pricing, and explain to clients that this isn’t admin, it’s protection.

If a client refuses to provide verification info, don’t negotiate, walk away.
Working with an unverified client is not worth the fine, the audit, or the reputation risk.

What This Means for You

The 2025 compliance landscape is different. You now need:

  • A written, board-approved RMCP that reflects risk-based verification

  • A clear policy on when certified copies are enough

  • Documented use of third-party or government verification for higher-risk clients

  • A system for record-keeping and periodic re-verification

  • A plan to recover rising verification costs

And you need to start now.

Bottom Line

The new FIC framework gives practitioners freedom, but also nowhere to hide.
Certified copies might still work in low-risk, face-to-face cases, but if your client profile screams “risk,” the only safe route is independent third-party verification.

The cost of compliance has gone up.
But the cost of non-compliance? Potentially everything.

Join CIBA and we’ll show you how to update your RMCP, integrate affordable verification tools, and build compliance into a profitable service, not a burden.

 

Trending

Latest Podcast

Featured
LinkedIn Live Audio - Edward James
Mar 26
LinkedIn Live Audio - Edward James
Heynes Kotze
Next

Making Numbers Talk: How to Get Non-Financial People to Actually Listen