"WHY DO YOU NEED ALL THIS INFORMATION?" POPIA, FICA, AND WHAT BUSINESSES CAN LAWFULLY ASK THEIR CLIENTS
- CROME-Digital Services Marketing Agency
- 2 days ago
- 4 min read
If you have ever opened a bank account, instructed an attorney, or signed up with an estate agent and been asked for copies of your ID, proof of address, or details about the source of your funds — you may have wondered whether that business is entitled to ask for all of that. The short answer is yes. But there are rules about how much they can ask for, what they can do with it, and how long they can keep it.
Two laws working side by side
South Africa has two major pieces of legislation that govern how your personal information is collected and used by businesses.
The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's data privacy law. Its purpose is to protect you — the individual — from the careless or unlawful use of your personal information. Under POPIA, any business that collects your personal data must do so lawfully, for a specific purpose, and may only keep it for as long as necessary. The Information Regulator enforces POPIA and can impose fines of up to R10 million for serious breaches.
The Financial Intelligence Centre Act 38 of 2001 (FICA) serves a different purpose. It is designed to combat money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction. FICA requires certain businesses (called accountable institutions) to verify who their clients are, understand where their money comes from, and report suspicious activity to the Financial Intelligence Centre (FIC). Accountable institutions include legal practitioners, estate agents, banks, accountants, trust and company service providers, and high-value goods dealers, among others.
Do these laws conflict?
There appears to be tension: POPIA says collect only what you need, while FICA says collect and verify your client’s information. What happens when a client refuses, citing their right to privacy?
The FIC has resolved this directly in Public Compliance Communication 22A (PCC 22A). The FIC's position is clear: FICA and POPIA are not in conflict. FICA itself provides the legal justification for collecting personal information — which means a business that collects client data to comply with FICA is not breaching POPIA, because it is fulfilling a legal obligation.
In plain language: a client cannot refuse to provide their ID or proof of address to an accountable institution by invoking their POPIA rights. FICA overrides that objection, and the business is legally required to ask.
The golden rule: only ask for what you need
FICA justifies the collection of personal information, but it does not give businesses a blank cheque. According to PCC 22A, the harmony between the two laws lies in proportionality: a business may only collect information that is necessary and proportionate to the specific money laundering or terrorist financing risk the client actually presents.
This is where FICA's risk-based approach becomes important. Lower-risk clients require standard due diligence — basic identity verification. Higher-risk clients (for example, those dealing in large cash transactions or complex ownership structures) may require enhanced due diligence, which can include more detailed information about their source of funds, business activities, and beneficial owners. Collecting that extra information from a high-risk client is lawful. Collecting it from every client regardless of risk would be excessive and a breach of POPIA.
What if a client still refuses?
PCC 22A is equally clear on this. If a client refuses to provide the personal information required under FICA (whether based on privacy concerns or any other reason) the accountable institution has no choice. It cannot take on that client and proceed with a transaction. And if an existing relationship is already in place, it must be terminated in accordance with the institution's Risk Management and Compliance Programme (RMCP).
The institution must also consider whether a suspicious activity report needs to be filed with the FIC — and critically, it cannot tell the client that it has done so. Disclosing that a suspicious transaction report has been filed is a criminal offence under FICA known as "tipping off."
The FICA deadline arriving now
Directive 11 of 2026 (issued 31 March 2026) requires specified accountable institutions to submit a 2026 Risk and Compliance Return (RCR) — a self-assessment covering three years of FICA compliance
Certain accountable institutions including trust and company service providers and casinos, are required to submit their RCRs by 30 June 2026; while estate agents, legal practitioners, high-value goods dealers and non-casino gambling licence holders are required to submit their RCRs by 31 July 2026.
How we can help
Are you a business with a compliance deadline approaching? Whether you need your RMCP reviewed or drafted, your RCR submission prepared, or your client onboarding processes aligned with both FICA and POPIA, our team is ready to assist.
Or are you a client being asked for more than seems reasonable? If a business has requested personal information from you in connection with FICA and the request feels unusually broad or intrusive, you do not have to simply accept it. If you are unsure whether a request is lawful and proportionate, we can help you assess it. Reach out to Gittins Attorneys Inc. and let us advise you on your rights.
Comments