FICA penalties are no longer rare events... Is your business FICA compliant enough to withstand scrutiny?
Published on FICACompliant.co.za | FICA compliance | Penalties | Enforcement | AML | Accountable Institutions | South Africa
Being FICA compliant is no longer something regulators take on trust. Under the Financial Intelligence Centre Act, every accountable institution is subject to FICA inspection, administrative sanction, and in serious cases, criminal prosecution.
What has changed in the past 18 months is the pace and breadth of enforcement. Capitec, Old Mutual, HSBC, and Standard Bank have all been sanctioned. So has a Johannesburg law firm, financial advisers, and crypto platforms. The pattern is consistent: institutions that treat the FIC Act as a documentation exercise rather than an operational framework are the ones receiving penalties.
How regulators determine the size of a penalty
When the Financial Intelligence Centre or a prudential regulator imposes sanctions, the quantum is not arbitrary. Investigators assess a structured set of factors: the nature and seriousness of the contravention, how long it persisted, whether the conduct was intentional or merely negligent, and whether the institution gained any commercial benefit from the non-compliance. Remedial action taken after the breach is identified and considered but it mitigates, it does not eliminate. Prior contraventions significantly worsen the outcome.
Up to R10m
Maximum administrative fine for individuals found personally liable for FICA contraventions
Up to R50m
Maximum administrative fine for companies, applicable to most accountable institutions
Up to R100m or 15 years
Criminal penalties for intentional breaches, directors and senior managers included
Public reprimand
Even a written caution is published, reputational damage compounds the financial cost
The personal liability exposure is the element most business owners underestimate. The FIC Act does not limit accountability to the entity. Directors, senior managers, and compliance officers can be held individually liable where their conduct or inaction contributed to the breach. A compliance officer who signed off on an inadequate RMCP, or a director who failed to allocate resources for FICA training, is not insulated by the corporate structure.
Three compliance failures that are driving most enforcement actions
RMCPs that are generic, outdated, or never operationalised. The most common finding across enforcement actions is an RMCP that exists as a document but does not reflect the institution's actual risk environment. A law firm handling conveyancing for foreign buyers carries different money laundering risks from one handling commercial litigation and the RMCP must address those differences explicitly. Regulators are looking for evidence that the programme is being applied: that risk ratings are being assigned, that high-risk clients are triggering enhanced due diligence, and that the document has been reviewed as the business has evolved. A R7.7 million fine was imposed on a legal firm specifically because it had neither implemented an RMCP nor trained its staff. The FICA documents existed in some form the operational program did not.
Customer due diligence that stops at onboarding. Initial client verification is the minimum requirement, not the full obligation. The FIC Act requires ongoing monitoring throughout the business relationship because a client's risk profile can change materially after onboarding. A client who was low-risk at FICA registration may become a politically exposed person, appear on a sanctions list, or exhibit transaction patterns inconsistent with the stated purpose of the relationship. Institutions that conduct due diligence once and file it are not meeting the ongoing monitoring standard. The enforcement actions against large financial institutions have consistently cited failures in this area the same failure is equally actionable against a small estate agency or accounting practice.
Failure to submit reports on time via goAML. Suspicious transaction reports and cash threshold reports carry prescribed submission timeframes under the FIC Act. A financial services provider was recently penalised specifically for failing to report suspicious transactions within the required period not for failing to identify the transactions, but for failing to submit on time. For institutions managing this process manually, delays accumulate. The FIC's goAML platform is the mandatory reporting channel, and submission records are auditable. During a FICA inspection, investigators will pull those records and cross-reference them against client files. Late or missing reports are immediately actionable.
Why the enforcement environment is intensifying in 2026
The 2025 Budget Speech allocated additional funding for forensic investigation and compliance monitoring a signal that financial crime enforcement is a stated government priority, not just a regulatory posture. The FIC and SARS are both expanding their oversight capacity. South Africa's removal from the FATF greylist was hard-won; maintaining that status requires demonstrable domestic enforcement, and regulators are delivering it. Institutions that interpret the greylist exit as a reason to ease up on compliance are reading the environment backwards.
Practical steps to reduce your enforcement exposure now
Review your RMCP against your current business activities, client categories, and product lines. If it was written at the time of FICA registration and not revisited since, it is almost certainly out of date.
Audit your customer due diligence records for completeness. Verify that beneficial ownership is documented for all corporate clients, and that sanctions and PEP screening was conducted and recorded at onboarding.
Implement an ongoing monitoring process, not just a periodic review cycle. Client risk profiles must be tracked continuously, and material changes must trigger a documented reassessment.
Check your goAML submission history. Are cash threshold reports being filed within the prescribed timeframes? Is there an auditable log of suspicious transaction assessments and the decisions made on each one?
Conduct a training gap analysis and produce a training register. Verify that all staff with compliance responsibilities have received documented training within the past 12 months.
Brief your board or senior management on their personal liability exposure. The FIC Act's personal accountability provisions are not theoretical they have been applied in recent enforcement actions.
Conclusion
The enforcement actions of the past 18 months describe a regulatory environment in which being FICA compliant means demonstrating operational compliance (documented, auditable, and current) not merely holding a FICA registration and a policy document. The penalty framework is severe, the personal liability exposure is real, and regulators now have the budget and mandate to pursue it across every sector. Smaller institutions are not exempt. If your business deals with money, you are accountable and if your compliance program is not functioning as the FIC Act requires, you are exposed.
If your RMCP is not in that condition today, visit FICACompliant.co.za to get your free RMCP tailored for your business and use it to close the gaps before a regulator identifies them for you.
