FIC Compliance After Registration - What You Should Know

Written By Eszter Rapanos

Many accountants think registering with the Financial Intelligence Centre (FIC) is the hard part, but registration is just the beginning. Once you’re registered as an accountable institution, compliance becomes permanent. It becomes part of how you run your practice, every client, every transaction, every day.

Below we look at what happens after registration, and what practices must do to stay compliant and avoid serious regulatory risk.

Step 1: Be Clear — Are You an Accountable Institution?

You are an accountable institution if you:

  • Set up or register companies or trusts

  • Act as a nominee director or shareholder

  • Manage client funds

  • Help structure transactions

  • Provide trust and company services

If you only do bookkeeping, payroll, VAT returns, financial statements, and tax submissions — and you do not make decisions or manage funds — you may not fall within the definition. But you must check Schedule 1 of Financial Intelligence Centre Act, 2001 (Act 38 of 2001) carefully. If you do fall within the definition, registration is not optional. It must be done immediately.

Step 2: Register Correctly

Registration is done via the FIC website using the GoAML platform. Key points:

  • The accounting practice registers, not individual employees.

  • A compliance officer must be appointed before registration.

  • You must upload supporting documents.

  • You must complete your entity profile.

  • You must monitor the system regularly.

Common mistakes include:

  • Using personal email addresses instead of business emails.

  • Failing to update compliance officer details when staff change.

  • Registering but never submitting the Risk and Management Compliance Programme (RMCP).

  • Not checking the GoAML platform for updates.

Compliance does not end once you receive your registration confirmation. It starts there.

Step 3: Your Risk and Management Compliance Programme (RMCP)

The Risk Management and Compliance Programme (RMCP) is your firm’s internal FICA manual.

It explains:

  • How you assess risk in your business

  • How you rate clients as low, medium, or high risk

  • How you conduct customer due diligence

  • How you apply enhanced due diligence

  • How you keep records

  • How you train staff

  • How you report suspicious transactions.

Use CIBA’s RMCP template, but do not copy and paste. Your RMCP must reflect your actual services, your actual risks, and your actual processes. During an FIC audit, they will compare your RMCP to your invoicing and client base. If your risk assessment does not match your services, that creates problems. Your directors and top management must understand and approve this document. It is not just a compliance file, it is a governance responsibility.

Step 4: Customer Due Diligence (CDD)

Before taking on a client, you must verify their information.

For individuals:

  • ID or passport

  • Proof of address

  • Source of funds

  • Risk rating

For companies:

  • CIPC documents

  • Directors’ IDs

  • Beneficial ownership information

  • Business address

  • Source of funds

  • Risk rating

Every client must be rated as low, medium, or high risk. Risk depends on:

  • The nature of the business

  • Location

  • Cash intensity

  • Political exposure

  • Ownership complexity

  • Transaction behaviour

Step 5: Enhanced Due Diligence (EDD)

High-risk clients require more scrutiny. This applies to:

  • Politically exposed persons

  • Foreign clients

  • Complex ownership structures

  • Suspicious behaviour

  • Large cash transactions (also see reporting obligations below).

Enhanced due diligence means going deeper. More documents. More verification. More monitoring. You must define this process clearly in your RMCP.

Step 6: The Targeted Financial Sanctions (TFS) List

The Targeted Financial Sanctions (TFS) list contains individuals and entities linked to terrorism and money laundering. You must:

  • Screen all clients and beneficial owners against the TFS list.

  • Re-screen when the list is updated.

  • Keep records of when and who did the screening.

  • Report matches immediately.

  • Freeze assets if required.

Note: You must also screen your own employees. Failure to monitor TFS updates is a serious compliance failure.

Step 7: Reporting Obligations

There are five main types of reports:

  • Suspicious Transaction Reports (STR) - as soon as possible but within 15 days of becoming aware

  • Cash Threshold Reports (CTR) - any transaction in which a client includes an exchange of cash more than R49,999.99 must be reported within 3 days of become aware.

  • Terrorist Property Reports should be submitted when a client is suspected to possess or control property that belongs to a client that could be linked to terrorism.

  • International Funds Transfer Reports

  • Terrorist financing activity report.

Staff must understand when to escalate suspicious activity. Compliance is not the compliance officer’s job alone, it is everyone’s responsibility. Download the FIC guides on the reporting obligations here.

Step 8: Employee Training Is Mandatory

Employees must:

  • Receive basic FIC training

  • Understand the RMCP

  • Recognise red flags

  • Know how to report

Without training, compliance systems fail. And if an employee misses a reportable transaction, the firm remains liable.

Step 9: Daily Monitoring Is Now Expected

One of the key updates discussed is the requirement to monitor the GoAML platform daily. Updates, notices, and changes are communicated there. If you miss them, “I didn’t see it” is not a defence. Compliance requires active management.

The Bigger Picture

FIC compliance is admin-heavy. It takes time, systems and discipline. But it also protects your practice. Done properly, it:

  • Reduces regulatory risk

  • Protects your reputation

  • Protects you from criminal exposure

  • Strengthens governance

  • Forces better client selection.

Many practitioners only realise the weight of compliance once they go through an audit. By then, it’s too late to fix gaps quickly.

In Conclusion

FIC compliance is not a form you submit it is a system you live with. Once you register, accountability becomes permanent. The firms that treat it as a tick-box exercise are the ones that struggle when audits arrive. The firms that build it into their daily operations risk rating properly, screening consistently, reporting on time, and training their teams protect their reputation and their licence to operate. The question is simple: are you compliant on paper, or compliant in practice?

Eszter Rapanos
Next

NCR 67(2) – They Closed the Door. We’re Opening It For You.