The Financial Intelligence Centre Act is the spine of South Africa’s anti-money-laundering regime. South Africa exited the FATF grey list in October 2025 — but the obligations that got it there are now permanent, supervised and enforced. Here is what an accountable institution actually has to do.
The FIC Act is the law. The FATF grey-list exit is the context. Neither reduces what you have to do.
The Financial Intelligence Centre Act 38 of 2001 (FIC Act) is South Africa’s core AML/CFT statute. It creates the Financial Intelligence Centre (FIC), defines who counts as an accountable institution, and imposes the duties those institutions owe: know your customer, monitor, report, and keep records. If you move money for other people in South Africa, you are almost certainly inside it.
The headline of 2025 is that South Africa exited the FATF grey list on 24 October 2025, after 33 months of remediation that addressed all 22 action items. That is a reputational win — but it is the opposite of a relaxation. The reforms (beneficial-ownership registers, sanctions screening, supervisory intensity) are now baked in, and the next FATF mutual evaluation begins in 2026. Treat the regime as tighter, not looser.
Registration first, then the RMCP, then ongoing CDD, reporting and sanctions screening. All of it filed through goAML.
| Obligation | What it means | Trigger |
|---|---|---|
| FIC registration | Register as an accountable institution on the FIC’s goAML portal | Before you start operating as one |
| RMCP | A documented Risk Management & Compliance Programme — your written AML rulebook | Mandatory; must exist and be applied |
| CDD / KYC | Identify and verify customers; understand beneficial ownership | On onboarding and on change |
| CTR | Cash Threshold Report — report cash transactions at/above the prescribed limit | Automatic, threshold-based |
| STR / SAR | Suspicious Transaction / Activity Report | When suspicion arises — promptly |
| TFS screening | Targeted Financial Sanctions — screen against the UNSC / domestic lists | Continuously; freeze and report on a match |
If a supervisor visits, the RMCP and your goAML filings are the first two things they look at. Make them honest and current.
The Risk Management and Compliance Programme is not a policy you write once and shelf. It is the operating manual a supervisor will ask for first, and it must reflect what you actually do. It has to set out how you assess money-laundering, terrorist-financing and proliferation-financing risk; how you do CDD and enhanced due diligence; when and how you report; and how you screen for sanctions.
A generic RMCP copied from a template is a red flag. It must map to your products, customers, geographies and channels — and you must be able to show the assessment behind it.
Establishing who ultimately owns and controls a customer was a core grey-list fix. Build it into onboarding, not as an afterthought.
TFS lists change. A customer clean on day one can appear on a list on day 200. Re-screen the book, not just new applicants.
For STRs, the standard is to report when suspicion arises. Keep the reasoning — a defensible decision not to report is also evidence you were watching.
Exit was earned by sustained enforcement. The supervisors who built that capability still have it, and the 2026 mutual evaluation will test whether the results are durable — prosecutions, confiscations, penalties.
During greylisting some correspondents de-risked SA exposure. Exit should ease that — but do not assume a counterparty’s policy has caught up. Confirm, do not presume.
The FIC and sector supervisors can impose administrative sanctions for RMCP, reporting and screening failures. These do not require a criminal conviction.
Open above; the where-to-spend judgement is for members.
Register on goAML before you transact, and write the RMCP before you scale, not after a supervisor asks. The expensive mistake is retrofitting beneficial-ownership capture and continuous sanctions screening onto a live book — it is far cheaper to build them into onboarding from the first customer.
The grey-list exit is a marketing fact, not a compliance one. Hold your controls. The institutions that loosened during past delistings elsewhere are the ones that re-list. Your edge now is being demonstrably clean to correspondents who are re-rating SA risk upward.
A weak RMCP plus a missed STR is the combination that draws administrative penalties and, in a 2026-evaluation year, supervisory attention you do not want to attract.