The Accountant's Magnifying Glass: Finding Out Who Your Client Really Is

Written By Leana van der Merwe, Technical Manager, Chartered Institute for Business Accountants (CIBA)

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

How to Actually Do a KYC on Your Client

You know you need to do it. FICA says so. But what does a proper KYC actually look like in practice? What do you collect, how do you assess risk, and what do you do with it all? Here is a step-by-step guide for CBAPs.

Most accountants know they have KYC obligations under FICA. Far fewer have a consistent, documented process for actually doing it. The result is client files that are half-complete, risk assessments that exist nowhere on paper, and a practice that is technically non-compliant. Not because anyone is cutting corners, but because nobody sat down and built the process.

This article does that for you. It walks through a KYC from the beginning: who you need to identify, what you need to collect, how to assess risk, and what ongoing obligations kick in after onboarding. Keep it, adapt it, and use it.

Step 1: Know Who You Are Onboarding

Before you collect anything, establish what type of client you are dealing with. The documents you need and the depth of your due diligence depend entirely on this.

Natural person (individual): A sole trader, freelancer, or individual hiring you in a personal capacity. Simplest to verify.

Legal entity (company, CC, trust, partnership): You need to verify both the entity itself and the people behind it. This is where most practices underdo the work.

Beneficial owner: Any individual who ultimately owns or controls 5% or more of the entity, or who exercises effective control regardless of ownership percentage. You must identify all of them, not just the director who signs your engagement letter.

If the client is acting on behalf of someone else (a trustee acting for beneficiaries, or an agent acting for a principal) you need to verify both the person in front of you and the person they represent.

Step 2: Collect the Right Documents

Here is what you need for each client type. This is your standard collection list. Do not start work until you have these.

For an individual:

•     Certified copy of South African ID or valid passport for foreign nationals

•     Proof of residential address, not older than three months (utility bill, bank statement, or municipal rates account in the client's name)

•     If acting as an agent or trustee: written authority confirming that role

For a company (Pty Ltd) or close corporation:

•     CIPC registration documents (CoR14.3 or CK1 for CCs)

•     Memorandum of Incorporation or founding statement

•     Proof of registered address, not older than three months

•     List of all directors and all beneficial owners (5% or above)

•     Certified ID or passport copy for each director and each beneficial owner

•     Proof of address for each beneficial owner

•     CIPC beneficial ownership register confirmation (check that the client's filing is current under the Companies Amendment Act 2024)

For a trust:

•     Trust deed

•     Letter of authority from the Master of the High Court

•     Certified ID and proof of address for each trustee

•     Certified ID and proof of address for each beneficiary who is identifiable at the time of onboarding

•     Certified ID and proof of address for the founder, if still living

For all clients, two additional checks:

•     PEP screening: is the client, or any beneficial owner, a current or former government official, senior public servant, or family member or close associate of one? If yes, Enhanced Due Diligence applies automatically.

•     Sanctions screening: check the client against the United Nations Security Council consolidated list and the OFAC SDN list. The FIC publishes targeted financial sanctions lists at www.fic.gov.za.

Step 3: Verify, Not Just Collect

Collecting documents is not verification. FICA requires you to verify the information, which means checking that what the client tells you is consistent with what the documents show, and that the documents themselves appear genuine.

For most CBAP practices, verification means:

•     Comparing the certified ID to the person in front of you (or, for remote onboarding, to a clear video or high-quality scan)

•     Confirming the company exists and is active on the CIPC portal at www.cipc.co.za. This takes two minutes, is free, and is not optional.

•     Confirming that the beneficial ownership information the client has given you matches what is registered at CIPC

•     Checking that proof of address documents are in the client's name and are current

•     For trusts: confirming the letter of authority is valid and the trust has not been wound up

You do not need to be a forensic document examiner. You do need to be alert to obvious inconsistencies: addresses that differ between documents, ID numbers that do not match dates of birth, company names that do not appear on CIPC. If something looks wrong, ask. If you cannot resolve it, do not onboard.

Step 4: Assess the Risk

Every client must have a documented risk rating. This is your Risk-Based Approach under FICA, and it must be recorded, not just thought about. Your risk assessment determines how much due diligence you apply and how frequently you review the client.

Rate each client as low, medium, or high risk based on the following factors:

Client risk: Is the client a PEP or connected to one? Does the client operate in a high-risk sector such as cash-intensive businesses, gambling, crypto, precious metals, or property? Is the client from or operating in a high-risk jurisdiction?

Geographic risk: Countries subject to FATF mutual evaluation concerns, UN sanctions, or EU high-risk designations carry elevated risk automatically. For domestic clients, consider whether the business activity involves cross-border payments or foreign beneficial owners.

Product and service risk: What are you actually doing for this client? Routine bookkeeping for a small retailer carries different risk from trust administration, company formation services, or managing large cash flows.

Delivery channel risk: Did you meet this client in person, or is the entire relationship remote? Remote onboarding carries higher inherent risk.

Document your rating and the reasons for it. A one-page risk assessment form per client is sufficient. It does not need to be elaborate. It needs to exist and to be defensible if the FIC ever asks.

Step 5: Apply the Right Level of Due Diligence

Standard Due Diligence applies to low and medium risk clients. This is the full document collection and verification process described above. You complete it once at onboarding and review it when circumstances change.

Enhanced Due Diligence (EDD) is mandatory for high-risk clients, including all PEPs, clients from high-risk jurisdictions, and any situation where the client's source of funds is unclear or the business relationship has unusual features.

For EDD clients, you must additionally:

•     Obtain senior management approval before establishing the relationship

•     Establish the source of funds and source of wealth. Not just ask, but document the explanation and assess whether it is plausible.

•     Apply more frequent ongoing monitoring

•     Keep more detailed records of transactions and instructions

Simplified due diligence at a reduced level is only available for a narrow category of clients: listed public companies, government entities, and regulated financial institutions where the risk is demonstrably low by virtue of their regulated status. Do not apply reduced due diligence to SME clients.

Step 6: Keep the Records

FICA requires you to retain KYC records for five years from the date the business relationship ends, or five years from the date of a transaction if there is no ongoing relationship. Your record-keeping system must allow you to:

•     Retrieve any client's KYC file quickly

•     Show the date on which each document was obtained and verified

•     Demonstrate that the risk assessment was conducted and recorded

•     Produce the file to the FIC if requested

Set a calendar reminder to review each client's file annually. At minimum, check that proof of address is still current, that there have been no changes to beneficial ownership, and that the risk rating still reflects the client's actual activity.

Step 7: Know When to Report

If at any point in the relationship, whether during onboarding or later, you become aware or suspect that a transaction or instruction involves the proceeds of crime or may relate to terrorist financing, you are legally obligated to submit a Suspicious Transaction Report to the FIC. You do not need to be certain. Suspicion is the threshold.

The report goes to the FIC through goAML at www.goaml.fic.gov.za. You do not tell the client you have filed. You do not delay. The obligation to report is separate from whether you continue or terminate the relationship.

You are also required to file a Cash Threshold Report for any cash transaction above R49 999.99, whether in a single transaction or in what appears to be a structured series. This applies even if the transaction is entirely legitimate.

The Practical Bottom Line

A FICA-compliant KYC process for most CBAP practices is not complicated. It requires a standard document checklist, a simple one-page risk assessment form, a consistent verification habit, a structured filing system, and a calendar reminder to review files annually. That is the whole thing.

If your practice does not have this in place today, build it this week. Not because an inspection is imminent, but because you are personally liable for non-compliance, and because clients who see a professional and organised onboarding process trust you more from day one.

The FIC's guidance documents at www.fic.gov.za contain worked examples for different Accountable Institution types. CIBA's practice management resources can help you adapt them for your specific client base.

Quick Reference: KYC Checklist for a New Business Client

☐  CIPC registration confirmed and entity is active

☐  Certified ID collected for all directors

☐  Certified ID collected for all beneficial owners (5%+)

☐  Proof of address collected for entity (not older than 3 months)

☐  Proof of address collected for each beneficial owner

☐  CIPC beneficial ownership register verified

☐  PEP screening completed and documented

☐  Sanctions screening completed and documented

☐  Risk rating assigned and recorded

☐  EDD applied if high-risk (senior sign-off, source of funds documented)

☐  Engagement letter references FICA obligations

☐  File stored with date of collection recorded

☐  Annual review date set

Choose Your Path to Exclusive Insights

Stay ahead in the world of accounting with premium content designed for professionals like you. Access expert articles, industry trends, and essential resources. Become a CIBA member and claim your CPD hours from CIBA.

CIBA Member Access

R250.00 FREE!

100% Discount when you become a CIBA Member. Join now to claim your CPD Hours. Register here: https://accounts.myciba.org/register

✓ Step 1: Register as CIBA Member
✓ Step 2: Sign up to access premium resources
✓ Step 3: Apply your CIBA discount code for 100% off
Sign Up

Premium

R250.00
Every month

 

Trending

Featured
AI Tax Research_the tipping point.jpg
AI Is Quietly Shrinking Your Tax Fees
DRC new guide picture 1.jpg
The Gold Loophole SARS Just Closed
8 budget rules .jpg
Prove It or Lose It: Treasury's New Budget Rules

Latest Podcast

Featured
LinkedIn Live Audio - Edward James
Mar 26
LinkedIn Live Audio - Edward James
Leana van der Merwe, Technical Manager, Chartered Institute for Business Accountants (CIBA)
Next

The Client You Keep Is the Risk You Own